Impact
Mattermost versions 11.7.0 to 11.7.2 and 11.6.0 to 11.6.4 allow a deactivated guest account to create a valid session via the magic‑link login path because the system fails to validate the account’s deactivation status. As a result, an attacker who possesses a magic‑link token issued before deactivation can gain full access to the guest account’s functionality. This flaw is a classic example of improper authorization (CWE‑305) and enables unauthorized use of the system without requiring additional privileges.
Affected Systems
The affected product is Mattermost. The vulnerability exists in the REST API login endpoint of Mattermost versions 11.7.x up to and including 11.7.2 and 11.6.x up to and including 11.6.4. Other versions are not affected.
Risk and Exploitability
The CVSS score of 5.4 indicates moderate severity. The EPSS score is not available, so the likelihood of exploitation is uncertain. The vulnerability is not listed in CISA KEV, suggesting no known zero‑day exploitation. Likely exploitation requires remote access to the API and possession of a previously‑issued magic‑link token; the attack vector is remote and involves no privilege escalation beyond the guest account’s permissions.
OpenCVE Enrichment