CVE-2022-1385

LOW

Mattermost Server < 6.5.0 - Exposure to Wrong Actor

Title source: rule

Description

Mattermost 6.4.x and earlier fails to properly invalidate pending email invitations when the action is performed from the system console, which allows accidentally invited users to join the workspace and access information from the public teams and channels.

References (2)

[Exploit, Third Party Advisory] https://hackerone.com/reports/1486820

[Vendor Advisory] https://mattermost.com/security-updates/

Scores

CVSS v3 3.7

EPSS 0.0017

EPSS Percentile 37.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

Classification

CWE

CWE-668 CWE-664

Status published

Affected Products (2)

mattermost/mattermost_server < 6.5.0

mattermost/mattermost-server < 6.5.0Go

Timeline

Published Apr 19, 2022

Tracked Since Feb 18, 2026