CVE-2026-22880

Summary

Mattermost Mobile Apps versions <=2.37 11.4 2.0.37 11.0.4 11.1.3 11.3.2 10.11.11.0 fail to properly validate the SSO authentication callback origin which allows an attacker controlling a malicious Mattermost server to steal user credentials for a legitimate Mattermost server via relaying the SSO code exchange flow through the mobile application. Mattermost Advisory ID: MMSA-2025-00564

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost0 <= 2.0.37affected
MattermostMattermost0 <= 11.0.4affected
MattermostMattermost0 <= 11.1.3affected
MattermostMattermost0 <= 11.3.2affected
MattermostMattermost0 <= 10.11.11affected
MattermostMattermost2.38.0unaffected
MattermostMattermost11.5.0unaffected
MattermostMattermost2.37.1.0unaffected
MattermostMattermost11.4.1unaffected
MattermostMattermost11.3.2unaffected
MattermostMattermost11.2.4unaffected
MattermostMattermost10.11.12unaffected

Weaknesses

  • CWE-352: CWE-352: Cross-Site Request Forgery (CSRF)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References