CVE-2025-58075

Summary

Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the RelayState

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost10.11.0 <= 10.11.1affected
MattermostMattermost10.10.0 <= 10.10.2affected
MattermostMattermost10.5.0 <= 10.5.10affected
MattermostMattermost10.12.0unaffected
MattermostMattermost10.11.2unaffected
MattermostMattermost10.10.3unaffected
MattermostMattermost10.5.11unaffected

Weaknesses

  • CWE-862: CWE-862: Missing Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References