CVE-2025-13324

LOW

Mattermost 10.11.0-10.11.5, 11.0.0-11.0.4, 10.12.0-10.12.2 - Incorrect Authorization via Legacy Cluster Invite Token

Title source: llm

Description

Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to authenticate as the remote cluster and perform limited actions on shared channels even after the invitation has been legitimately confirmed.

References (1)

Core 1

Core References

Vendor Advisory

https://mattermost.com/security-updates

Scores

CVSS v3 3.7

EPSS 0.0003

EPSS Percentile 8.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (4)

mattermost/mattermost 0 - 8.0.0-20251031095924-e7e23b94e006Go

mattermost/mattermost 10.12.0 - 10.12.2Go

mattermost/mattermost-server 0 - 11.0.4Go

mattermost/mattermost_server 10.11.0 - 10.11.6

Published Dec 17, 2025

Tracked Since Feb 18, 2026