Description
Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to enforce atomic single-use consumption of guest magic link tokens, which allows an attacker with access to a valid magic link to establish multiple independent authenticated sessions via concurrent requests.. Mattermost Advisory ID: MMSA-2026-00624
Published: 2026-04-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access via Token Reuse
Action: Immediate Patch
AI Analysis

Impact

Mattermost versions 10.11.x up to 10.11.12, 11.5.x up to 11.5.0, 11.4.x up to 11.4.2, and 11.3.x up to 11.3.2 fail to enforce atomic single‑use consumption of guest magic link tokens, allowing an attacker with a valid magic link to open multiple independent authenticated sessions through concurrent requests. This flaw lets an attacker impersonate any guest user, access private channels, and potentially read or modify sensitive data. The weakness is a race condition (CWE‑367) that compromises authentication integrity.

Affected Systems

Mattermost; affected versions are 10.11.x up to 10.11.12, 11.5.x up to 11.5.0, 11.4.x up to 11.4.2, and 11.3.x up to 11.3.2. The advisory identifies these releases as vulnerable and recommends upgrading to 11.6.0, 10.11.13, 11.5.1, 11.4.3, or 11.3.3 and newer.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium‑to‑high severity. Because the EPSS score is not available and the vulnerability is not listed in KEV, the likelihood of immediate exploitation is unknown, yet the flaw could be leveraged by anyone who has intercepted or phished a magic link. The attacker must make concurrent requests with the same magic link, a scenario that is achievable from a remote position. If successful, the attacker gains persistent, unauthenticated access until the session is terminated.

Generated by OpenCVE AI on April 15, 2026 at 12:21 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.6.0, 10.11.13, 11.5.1, 11.4.3, 11.3.3 or higher.

OpenCVE Recommended Actions

  • Update Mattermost to version 11.6.0, 10.11.13, 11.5.1, 11.4.3, 11.3.3, or a newer release to disable token reuse.
  • Revoke all outstanding guest magic link tokens before applying the patch to prevent session hijacking.
  • Temporarily disable guest magic link authentication for all users until the update is applied, reducing the attack surface.

Generated by OpenCVE AI on April 15, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Wed, 15 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Wed, 15 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
Description Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to enforce atomic single-use consumption of guest magic link tokens, which allows an attacker with access to a valid magic link to establish multiple independent authenticated sessions via concurrent requests.. Mattermost Advisory ID: MMSA-2026-00624
Title Race Condition in Guest Magic Link Authentication Allows Token Reuse
Weaknesses CWE-367
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-04-15T14:00:27.030Z

Reserved: 2026-03-05T11:34:57.712Z

Link: CVE-2026-3590

cve-icon Vulnrichment

Updated: 2026-04-15T14:00:23.071Z

cve-icon NVD

Status : Received

Published: 2026-04-15T12:16:40.023

Modified: 2026-04-15T12:16:40.023

Link: CVE-2026-3590

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T13:38:28Z

Weaknesses