Mattermost doesn't validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation

GHSA-hqpj-f3jh-29vx · CVE-2026-4273

Published May 18, 2026 · Modified Jun 1, 2026

Description

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an authenticated attacker to bypass token rotation and reuse the original invite token via sending a crafted invite confirmation with a RefreshedToken matching the original token. Mattermost Advisory ID: MMSA-2026-00575

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-4273
WEB https://github.com/mattermost/mattermost/commit/742e0be9507454a7e662668e1d9ec1b94b636e9b
PACKAGE https://github.com/mattermost/mattermost
WEB https://mattermost.com/security-updates

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes