CVE-2026-3590
Received
Received - Intake
Magic Link Token Replay Vulnerability in Mattermost Authentication
Publication date: 2026-04-15
Last updated on: 2026-04-22
Assigner: Mattermost, Inc.
Description
Description
Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to enforce atomic single-use consumption of guest magic link tokens, which allows an attacker with access to a valid magic link to establish multiple independent authenticated sessions via concurrent requests.. Mattermost Advisory ID: MMSA-2026-00624
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | mattermost_server | From 10.11.0 (inc) to 10.11.13 (exc) |
| mattermost | mattermost_server | From 11.3.0 (inc) to 11.3.3 (exc) |
| mattermost | mattermost_server | From 11.4.0 (inc) to 11.4.3 (exc) |
| mattermost | mattermost_server | From 11.5.0 (inc) to 11.5.1 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-367 | The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. |
