CVE-2025-58073
published 2025-10-16CVE-2025-58073: Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original…
high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the OAuth state.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | mattermost_mattermost-server | >= 10.10.0 < 10.10.3 | 10.10.3 |
| github.com | mattermost_mattermost-server | >= 10.10.0+incompatible < 10.10.3+incompatible | 10.10.3+incompatible |
| github.com | mattermost_mattermost-server | >= 10.11.0 < 10.11.2 | 10.11.2 |
| github.com | mattermost_mattermost-server | >= 10.11.0+incompatible < 10.11.2+incompatible | 10.11.2+incompatible |
| github.com | mattermost_mattermost-server | >= 10.5.0 < 10.5.11 | 10.5.11 |
| github.com | mattermost_mattermost-server | >= 10.5.0+incompatible < 10.5.11+incompatible | 10.5.11+incompatible |
| github.com | mattermost_mattermost_server_v8 | >= 0 < 8.0.0-20250807174701-e14175eb6539 | 8.0.0-20250807174701-e14175eb6539 |
| mattermost | mattermost | 10.10.0 – 10.10.2 | — |
| mattermost | mattermost | 10.11.0 – 10.11.1 | — |
| mattermost | mattermost | 10.5.0 – 10.5.10 | — |
| mattermost | mattermost_server | >= 10.10.0 < 10.10.3 | 10.10.3 |
| mattermost | mattermost_server | >= 10.11.0 < 10.11.3 | 10.11.3 |
| mattermost | mattermost_server | >= 10.5.0 < 10.5.11 | 10.5.11 |