CVE-2025-13324

Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to authen...

low 3.7 CVSS 3.1

Published: Dec 17, 2025

Modified: Dec 29, 2025

Description

Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to authenticate as the remote cluster and perform limited actions on shared channels even after the invitation has been legitimately confirmed.

References

https://mattermost.com/security-updates

Related CVEs

CVSS Breakdown

Version	3.1
Score	3.7 / 10
Severity	low

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Weakness (CWE)

CWE-863

Affected Product

Vendor	Mattermost
Product	Mattermost Server