VYPR
Moderate severityOSV Advisory· Published Dec 17, 2025· Updated Dec 24, 2025

Lack of Invalidation of Legacy Remote Cluster Invite Tokens After Confirmation

CVE-2025-13324

Description

Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to authenticate as the remote cluster and perform limited actions on shared channels even after the invitation has been legitimately confirmed.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/mattermost/mattermostGo
>= 10.12.0, < 10.12.210.12.2
github.com/mattermost/mattermostGo
>= 10.11.0-rc1, < 10.11.510.11.5
github.com/mattermost/mattermostGo
>= 11.0.0-alpha.1, < 11.0.411.0.4
github.com/mattermost/mattermost/server/v8Go
< 8.0.0-20251031095924-e7e23b94e0068.0.0-20251031095924-e7e23b94e006
github.com/mattermost/mattermost-serverGo
< 11.0.411.0.4

Affected products

5

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.