CVE-2026-22880

MEDIUM

Mobile SSO authentication flow allows credential theft via malicious server

Title source: cna
STIX 2.1

Description

Mattermost Mobile Apps versions <=2.37 11.4 2.0.37 11.0.4 11.1.3 11.3.2 10.11.11.0 fail to properly validate the SSO authentication callback origin which allows an attacker controlling a malicious Mattermost server to steal user credentials for a legitimate Mattermost server via relaying the SSO code exchange flow through the mobile application. Mattermost Advisory ID: MMSA-2025-00564

References (1)

Core 1
Core References
Vendor Advisory vendor-advisory
MMSA-2025-00564
https://mattermost.com/security-updates

Scores

CVSS v3 6.1
EPSS 0.0001
EPSS Percentile 3.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-352
Status published
Products (12)
Mattermost/Mattermost < 10.11.11
Mattermost/Mattermost < 11.0.4
Mattermost/Mattermost < 11.1.3
Mattermost/Mattermost < 11.3.2
Mattermost/Mattermost < 2.0.37
Mattermost/Mattermost 10.11.12
Mattermost/Mattermost 11.2.4
Mattermost/Mattermost 11.3.2
Mattermost/Mattermost 11.4.1
Mattermost/Mattermost 11.5.0
... and 2 more
Published May 21, 2026
Tracked Since May 21, 2026