The vulnerability exists because the mobile application does not validate the origin of the SSO authentication callback correctly. When a malicious Mattermost server is used, the application accepts the callback and processes the code exchange, allowing the attacker to obtain user credentials that belong to a legitimate Mattermost installation. The weakness is a flaw in cross‑site request forgery handling, as indexed by CWE‑352, and results in unauthorized disclosure of login secrets from the mobile client back to the attacker.

Mattermost Mobile Apps, specifically all versions that are equal to or less than 2.37, 11.4, 2.0.37, 11.0.4, 11.1.3, 11.3.2, or 10.11.11.0. The affected product is the Mattermost mobile client for iOS and Android, with any build that includes these version numbers.

The CVSS score of 6.1 indicates moderate severity, and the vulnerability is not listed in the CISA KEV catalog. Because no EPSS score is available, the known exploitation probability cannot be quantified, but the lack of origin checks allows an attacker who controls a fake Mattermost server to perform the SSO code exchange flow through a user’s mobile device. The necessary condition for exploitation is that the user logs in via the mobile app and trusts the malicious server, making this risk primarily relevant to environments where users authenticate through the mobile client and could be targeted by phishing or compromised server infrastructure.