Moderate severityOSV Advisory· Published Dec 17, 2025· Updated Dec 24, 2025
Lack of Invalidation of Legacy Remote Cluster Invite Tokens After Confirmation
CVE-2025-13324
Description
Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to authenticate as the remote cluster and perform limited actions on shared channels even after the invitation has been legitimately confirmed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermostGo | >= 10.12.0, < 10.12.2 | 10.12.2 |
github.com/mattermost/mattermostGo | >= 10.11.0-rc1, < 10.11.5 | 10.11.5 |
github.com/mattermost/mattermostGo | >= 11.0.0-alpha.1, < 11.0.4 | 11.0.4 |
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20251031095924-e7e23b94e006 | 8.0.0-20251031095924-e7e23b94e006 |
github.com/mattermost/mattermost-serverGo | < 11.0.4 | 11.0.4 |
Affected products
5- Range: @mattermost/client@10.11.0, @mattermost/client@10.12.0, @mattermost/client@11.0.4, …
- ghsa-coords4 versionspkg:golang/github.com/mattermost/mattermostpkg:golang/github.com/mattermost/mattermost-serverpkg:golang/github.com/mattermost/mattermost/server/v8pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
>= 10.12.0, < 10.12.2+ 3 more
- (no CPE)range: >= 10.12.0, < 10.12.2
- (no CPE)range: < 11.0.4
- (no CPE)range: < 8.0.0-20251031095924-e7e23b94e006
- (no CPE)range: < 0.0.20251230T014957-150000.1.134.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-x3r8-2hmh-89f5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-13324ghsaADVISORY
- github.com/mattermost/mattermost/commit/364c2203de00fe0d8424b6b46d6f0eeb02a2539aghsaWEB
- github.com/mattermost/mattermost/commit/7ccb62db7958abd6a4b21a06c5a4f5367a8f8b1fghsaWEB
- github.com/mattermost/mattermost/commit/9f54e5cdc3aef412945ff0e6a58338f7b549bddaghsaWEB
- mattermost.com/security-updatesghsaWEB
News mentions
0No linked articles in our index yet.