Description
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an authenticated attacker to bypass token rotation and reuse the original invite token via sending a crafted invite confirmation with a RefreshedToken matching the original token. Mattermost Advisory ID: MMSA-2026-00575
Published: 2026-05-18
Score: 3.7 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mattermost versions 10.11.x through 10.11.13 and 11.5.x through 11.5.1 fail to verify that the refreshed token differs from the original invite token during remote cluster invite confirmation. This flaw permits an authenticated attacker to send a crafted confirmation request that reuses the original token, allowing the attacker to bypass token rotation and gain cluster invitation privileges that should require a new, distinct token. The vulnerability can be categorized as an authorization bypass (CWE‑863).

Affected Systems

Mattermost releases 10.11.0 up to 10.11.13 and 11.5.0 up to 11.5.1 are affected. The flaw is specific to the remote cluster invite confirmation workflow used by these versions.

Risk and Exploitability

The CVSS score of 3.7 places the vulnerability in the low range, and the EPSS score is not available. Mattermost does not list this issue in the CISA KEV catalog. Exploitation requires the attacker to already be authenticated to the Mattermost instance and to be able to craft an invite confirmation request. The only prerequisite is legitimate authentication, after which the attacker can bypass token rotation and reuse a previously issued cluster invite token. Given the current evidence, the likelihood of exploitation is moderate due to the need for authenticated access, but the impact of gaining unauthorized cluster membership is significant.

Generated by OpenCVE AI on May 18, 2026 at 09:21 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.6.0, 11.5.2, 10.11.14 or higher.

OpenCVE Recommended Actions

  • Upgrade Mattermost to a fixed version (≥11.6.0, ≥11.5.2, or ≥10.11.14).
  • If a direct upgrade is not possible immediately, disable the remote cluster invite confirmation feature to prevent token reuse.
  • After applying the fix, audit invite logs for any unexpected token reuse and regenerate tokens for existing clusters.

Generated by OpenCVE AI on May 18, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Mon, 18 May 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Mon, 18 May 2026 08:00:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an authenticated attacker to bypass token rotation and reuse the original invite token via sending a crafted invite confirmation with a RefreshedToken matching the original token. Mattermost Advisory ID: MMSA-2026-00575
Title Insufficient token rotation validation in remote cluster invite confirmation
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-05-18T06:56:11.868Z

Reserved: 2026-03-16T15:08:11.383Z

Link: CVE-2026-4273

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-18T08:16:14.180

Modified: 2026-05-18T08:16:14.180

Link: CVE-2026-4273

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T09:30:22Z

Weaknesses