Low severity3.7NVD Advisory· Published May 18, 2026· Updated May 19, 2026
CVE-2026-4273
CVE-2026-4273
Description
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an authenticated attacker to bypass token rotation and reuse the original invite token via sending a crafted invite confirmation with a RefreshedToken matching the original token. Mattermost Advisory ID: MMSA-2026-00575
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost/server/v8Go | >= 11.5.0, < 11.5.2 | 11.5.2 |
github.com/mattermost/mattermost/server/v8Go | >= 10.11.0, < 10.11.14 | 10.11.14 |
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20260313190740-742e0be95074 | 8.0.0-20260313190740-742e0be95074 |
github.com/mattermost/mattermost-serverGo | < 5.3.2-0.20260313190740-742e0be95074 | 5.3.2-0.20260313190740-742e0be95074 |
Affected products
4cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*range: >=10.11.0,<10.11.14
- (no CPE)range: 11.5.x <= 11.5.1, 10.11.x <= 10.11.13
- ghsa-coords2 versionspkg:golang/github.com/mattermost/mattermost-serverpkg:golang/github.com/mattermost/mattermost/server/v8
< 5.3.2-0.20260313190740-742e0be95074+ 1 more
- (no CPE)range: < 5.3.2-0.20260313190740-742e0be95074
- (no CPE)range: >= 11.5.0, < 11.5.2
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-hqpj-f3jh-29vxghsaADVISORY
- mattermost.com/security-updatesnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-4273ghsaADVISORY
- github.com/mattermost/mattermost/commit/742e0be9507454a7e662668e1d9ec1b94b636e9bghsaWEB
News mentions
0No linked articles in our index yet.