PT-2026-42432 · Mattermost · Mattermost Mobile Apps
Doyensec
·
Published
2026-05-21
·
Updated
2026-05-21
·
CVE-2026-22880
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Mattermost Mobile Apps versions prior to 2.38
Description
The application fails to properly validate the SSO authentication callback origin. This allows an attacker who controls a malicious Mattermost server to steal user credentials for a legitimate Mattermost server by relaying the SSO code exchange flow through the mobile application.
Recommendations
Update to a version newer than 2.37.
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mattermost Mobile Apps