CVE-2022-1385

LOW

Mattermost Server < 6.5.0 - Exposure to Wrong Actor

Title source: rule

Description

Mattermost 6.4.x and earlier fails to properly invalidate pending email invitations when the action is performed from the system console, which allows accidentally invited users to join the workspace and access information from the public teams and channels.

References (2)

[Vendor Advisory] https://mattermost.com/security-updates/

[Exploit, Third Party Advisory] https://hackerone.com/reports/1486820

Scores

CVSS v3 3.7

EPSS 0.0017

EPSS Percentile 37.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-668 CWE-664

Status published

Products (2)

mattermost/mattermost-server 0 - 6.5.0Go

mattermost/mattermost_server < 6.5.0

Published Apr 19, 2022

Tracked Since Feb 18, 2026