VYPR
Low severity3.7NVD Advisory· Published May 18, 2026· Updated May 19, 2026

CVE-2026-4273

CVE-2026-4273

Description

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an authenticated attacker to bypass token rotation and reuse the original invite token via sending a crafted invite confirmation with a RefreshedToken matching the original token. Mattermost Advisory ID: MMSA-2026-00575

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/mattermost/mattermost/server/v8Go
>= 11.5.0, < 11.5.211.5.2
github.com/mattermost/mattermost/server/v8Go
>= 10.11.0, < 10.11.1410.11.14
github.com/mattermost/mattermost/server/v8Go
< 8.0.0-20260313190740-742e0be950748.0.0-20260313190740-742e0be95074
github.com/mattermost/mattermost-serverGo
< 5.3.2-0.20260313190740-742e0be950745.3.2-0.20260313190740-742e0be95074

Affected products

4

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.

CVE-2026-4273 · Low · VYPR