Description
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce client identity binding during the OAuth authorization code redemption flow which allows an authenticated OAuth client to redeem authorization codes issued to a different client via a crafted token exchange request.. Mattermost Advisory ID: MMSA-2026-00570
Published: 2026-05-18
Score: 3.1 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when Mattermost fails to enforce the binding between an OAuth client and the authorization code issued during the OAuth redemption flow. An authenticated OAuth client can craft a token exchange request and redeem an authorization code that was issued to a different client. This flaw allows an attacker possessing credentials for one OAuth client to obtain access tokens for another, potentially exposing resources to which the attacker should not have access. The weakness originates from improper validation of client identity, as identified by CWE-305.

Affected Systems

Mattermost Mattermost versions 10.11.0 through 10.11.13 and 11.5.0 through 11.5.1 are affected.

Risk and Exploitability

The CVSS score of 3.1 indicates a low severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to already be an authenticated OAuth client; unauthenticated users cannot leverage this flaw. If an attacker gains access to an OAuth client, they could potentially misuse authorization codes intended for other clients to access protected resources, but overall risk to the system remains limited under the current assessment.

Generated by OpenCVE AI on May 18, 2026 at 09:22 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.6.0, 11.5.2, 10.11.14 or higher.

OpenCVE Recommended Actions

  • Update Mattermost to a fixed version (11.6.0 or newer, 11.5.2 or newer, or 10.11.14 or newer).
  • Verify that OAuth token redemption processes in your Mattermost instance enforce client identity binding before issuing tokens.
  • Monitor OAuth token exchanges for anomalous reuse of authorization codes across different clients and review logs for unauthorized activity.

Generated by OpenCVE AI on May 18, 2026 at 09:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Mon, 18 May 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Mon, 18 May 2026 08:00:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce client identity binding during the OAuth authorization code redemption flow which allows an authenticated OAuth client to redeem authorization codes issued to a different client via a crafted token exchange request.. Mattermost Advisory ID: MMSA-2026-00570
Title OAuth authorization code client binding not enforced during token redemption in Mattermost
Weaknesses CWE-305
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-05-18T06:33:56.008Z

Reserved: 2026-04-15T08:55:52.710Z

Link: CVE-2026-6334

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-18T08:16:14.313

Modified: 2026-05-18T08:16:14.313

Link: CVE-2026-6334

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T10:00:12Z

Weaknesses