PT-2026-42432 · Mattermost · Mattermost Mobile Apps

Doyensec

·

Published

2026-05-21

·

Updated

2026-05-21

·

CVE-2026-22880

CVSS v3.1

6.1

Medium

VectorAV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Mattermost Mobile Apps versions prior to 2.38
Description The application fails to properly validate the SSO authentication callback origin. This allows an attacker who controls a malicious Mattermost server to steal user credentials for a legitimate Mattermost server by relaying the SSO code exchange flow through the mobile application.
Recommendations Update to a version newer than 2.37.

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-09269
CVE-2026-22880

Affected Products

Mattermost Mobile Apps