CVE-2025-13324
BaseFortify
Publication date: 2025-12-17
Last updated on: 2025-12-29
Assigner: Mattermost, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | mattermost_server | From 10.11.0 (inc) to 10.11.6 (exc) |
| mattermost | mattermost_server | From 10.12.0 (inc) to 10.12.3 (exc) |
| mattermost | mattermost_server | From 11.0.0 (inc) to 11.0.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in certain versions of Mattermost where invite tokens are not invalidated after being used. This flaw allows attackers who have intercepted these invite tokens to reuse them (token replay attack) to manipulate channel memberships, such as adding or removing users from private channels.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing unauthorized manipulation of private channel memberships. Malicious actors could add or remove users from private channels without permission, potentially leading to unauthorized access to sensitive communications or exclusion of legitimate users.