CVE-2025-58073 | THREATINT

Description

Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the OAuth state.

PUBLISHED Reserved 2025-09-16 | Published 2025-10-16 | Updated 2025-10-22 | Assigner Mattermost

HIGH: 8.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Problem types

CWE-862: Missing Authorization

Product status

Default status

unaffected

10.11.0 (semver)

affected

10.10.0 (semver)

affected

10.5.0 (semver)

affected

10.12.0

unaffected

10.11.2

unaffected

10.10.3

unaffected

10.5.11

unaffected

Credits

DoyenSec finder

References

mattermost.com/security-updates

cve.org (CVE-2025-58073)

nvd.nist.gov (CVE-2025-58073)

Download JSON