CVE-2025-13324Incorrect Authorization in Mattermost Mattermost

CWE-863Incorrect Authorization6 documents5 sources
Severity
3.7LOWNVD
EPSS
0.0%
top 86.60%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Github.com Mattermost MattermostGithub.com Mattermost Mattermost-serverGithub.com Mattermost Mattermost Server V8+2 more
Timeline
PublishedDec 17
Latest updateDec 30

Description

Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to authenticate as the remote cluster and perform limited actions on shared channels even after the invitation has been legitimately confirmed.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 2.2 | Impact: 1.4

Affected Packages5 packages

NVDmattermost/mattermost_server10.11.010.11.6+2
Gogithub.com/mattermost_mattermost10.12.010.12.2+5
Gogithub.com/mattermost_mattermost_server_v8< 8.0.0-20251031095924-e7e23b94e006
CVEListV5mattermost/mattermost10.11.010.11.5+2

🔴Vulnerability Details

4
OSV
Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation in github.com/mattermost/mattermost2025-12-30
OSV
Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation2025-12-17
GHSA
Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation2025-12-17
CVEList
Lack of Invalidation of Legacy Remote Cluster Invite Tokens After Confirmation2025-12-17

🕵️Threat Intelligence

1
Wiz
CVE-2025-13324 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-13324 — Incorrect Authorization | cvebase