Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation

GHSA-x3r8-2hmh-89f5 · CVE-2025-13324 · GO-2025-4256

Published Dec 17, 2025 · Modified Dec 30, 2025

Description

Mattermost versions 10.11.x < 10.11.5, 11.0.x < 11.0.4, 10.12.x < 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to authenticate as the remote cluster and perform limited actions on shared channels even after the invitation has been legitimately confirmed.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-13324
WEB https://github.com/mattermost/mattermost/commit/364c2203de00fe0d8424b6b46d6f0eeb02a2539a
WEB https://github.com/mattermost/mattermost/commit/7ccb62db7958abd6a4b21a06c5a4f5367a8f8b1f
WEB https://github.com/mattermost/mattermost/commit/9f54e5cdc3aef412945ff0e6a58338f7b549bdda
PACKAGE https://github.com/mattermost/mattermost
WEB https://mattermost.com/security-updates

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes