CVE-2025-13324

LOW

Mattermost Server < 10.11.6 - Incorrect Authorization

Title source: rule

Description

Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to authenticate as the remote cluster and perform limited actions on shared channels even after the invitation has been legitimately confirmed.

References (1)

[Vendor Advisory] https://mattermost.com/security-updates

Scores

CVSS v3 3.7

EPSS 0.0004

EPSS Percentile 13.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Classification

CWE

CWE-863

Status published

Affected Products (4)

mattermost/mattermost_server < 10.11.6

mattermost/mattermost < 10.12.2Go

mattermost/mattermost < 8.0.0-20251031095924-e7e23b94e006Go

mattermost/mattermost-server < 11.0.4Go

Timeline

Published Dec 17, 2025

Tracked Since Feb 18, 2026