CVE-2026-4273
Analyzed Analyzed - Analysis Complete
Authentication Bypass in Mattermost via Token Reuse

Publication date: 2026-05-18

Last updated on: 2026-05-19

Assigner: Mattermost, Inc.

Description
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an authenticated attacker to bypass token rotation and reuse the original invite token via sending a crafted invite confirmation with a RefreshedToken matching the original token. Mattermost Advisory ID: MMSA-2026-00575
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-18
Last Modified
2026-05-19
Generated
2026-06-10
AI Q&A
2026-05-18
EPSS Evaluated
2026-06-08
NVD
CVE-2026-4273
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
mattermost mattermost_server From 10.11.0 (inc) to 10.11.14 (exc)
mattermost mattermost_server From 11.5.0 (inc) to 11.5.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Mattermost versions 11.5.x up to 11.5.1 and 10.11.x up to 10.11.13. The issue is that the software fails to verify that the RefreshedToken is different from the original invite token during the confirmation of a remote cluster invite.

Because of this failure, an authenticated attacker can bypass the intended token rotation mechanism by sending a specially crafted invite confirmation where the RefreshedToken matches the original token, allowing reuse of the original invite token.

Impact Analysis

This vulnerability allows an authenticated attacker to reuse an original invite token instead of a refreshed one, effectively bypassing token rotation protections.

This could lead to unauthorized access or actions within the Mattermost system related to remote cluster invites, potentially compromising the integrity of invite processes.

However, the CVSS base score is 3.7, indicating a low severity impact with no direct confidentiality or availability impact, but with a low impact on integrity.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Mattermost to a version later than 11.5.1 for the 11.5.x branch or later than 10.11.13 for the 10.11.x branch, as these versions fix the issue with token validation during remote cluster invite confirmation.

Additionally, stay informed about security updates by subscribing to Mattermost's Security Bulletin and regularly checking their security updates page.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4273. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart