CVE-2025-58075
HIGHMattermost 10.5.0-10.5.10 10.10.0-10.10.2 10.11.0-10.11.1 - Unauthenticated Team Join via RelayState Manipulation
Title source: llmDescription
Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the RelayState
References (1)
Core 1
Core References
Vendor Advisory
https://mattermost.com/security-updates
Scores
CVSS v3
8.1
EPSS
0.0005
EPSS Percentile
15.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-862
Status
published
Products (3)
mattermost/mattermost
0 - 8.0.0-20250815100400-2d5cdc6e217eGo
mattermost/mattermost-server
10.11.0 - 10.11.2Go
mattermost/mattermost_server
10.5.0 - 10.5.11
Published
Oct 16, 2025
Tracked Since
Feb 18, 2026