CVE-2025-13324

Summary

Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to authenticate as the remote cluster and perform limited actions on shared channels even after the invitation has been legitimately confirmed.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost10.11.0 <= 10.11.5affected
MattermostMattermost11.0.0 <= 11.0.4affected
MattermostMattermost10.12.0 <= 10.12.2affected
MattermostMattermost11.1.0unaffected
MattermostMattermost10.11.6unaffected
MattermostMattermost11.0.5unaffected
MattermostMattermost10.12.3unaffected

Weaknesses

  • CWE-863: CWE-863: Incorrect Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References