Mattermost allows remote actor to set arbitrary RemoteId values for synced users

GHSA-9fpw-c9x7-cv3j · BIT-mattermost-2024-41926 · CVE-2024-41926 · GO-2024-3022

Published Aug 1, 2024 · Modified Jul 9, 2025

Description

Mattermost versions 9.9.x <= 9.9.0 and 9.5.x <= 9.5.6 fail to validate the source of sync messages and only allow the correct remote IDs, which allows a malicious remote to set arbitrary RemoteId values for synced users and therefore claim that a user was synced from another remote.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-41926
WEB https://github.com/mattermost/mattermost/commit/5114c3b7cdb84086959bf0ef8bc5afdaedf9fef6
PACKAGE https://github.com/mattermost/mattermost
WEB https://mattermost.com/security-updates
WEB https://pkg.go.dev/vuln/GO-2024-3022

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes