CVE-2026-4273

LOW

Insufficient token rotation validation in remote cluster invite confirmation

Title source: cna
STIX 2.1

Description

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an authenticated attacker to bypass token rotation and reuse the original invite token via sending a crafted invite confirmation with a RefreshedToken matching the original token. Mattermost Advisory ID: MMSA-2026-00575

References (1)

Core 1
Core References
Vendor Advisory vendor-advisory
MMSA-2026-00575
https://mattermost.com/security-updates

Scores

CVSS v3 3.7
EPSS 0.0014
EPSS Percentile 3.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-863
Status published
Products (10)
mattermost/mattermost 0 - 8.0.0-20260313190740-742e0be95074Go
Mattermost/Mattermost 10.11.0 - 10.11.13
mattermost/mattermost 10.11.0 - 10.11.14Go
Mattermost/Mattermost 10.11.14
Mattermost/Mattermost 11.5.0 - 11.5.1
mattermost/mattermost 11.5.0 - 11.5.2Go
Mattermost/Mattermost 11.5.2
Mattermost/Mattermost 11.6.0
mattermost/mattermost-server 0 - 5.3.2-0.20260313190740-742e0be95074Go
mattermost/mattermost_server 10.11.0 - 10.11.14
Published May 18, 2026
Tracked Since May 18, 2026