CVE-2024-2450

Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to correctly verify account ownership when switching from email to SAML authentication, allowing an authenticated attacker to take over other user accounts via a crafted switch request under specific conditions.

Published: Mar 15, 2024
Updated: May 4, 2025
CVE: CVE-2024-2450
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-306

Affected Software
References

Software	From	Fixed in
mattermost / mattermost_server	8.1.0	8.1.10
mattermost / mattermost_server	9.4.0	9.4.3
mattermost / mattermost_server	9.3.0	9.3.2
mattermost / mattermost_server	9.2.0	9.2.6
mattermost / mattermost_server	9.5.0	9.5.0.x

https://mattermost.com/security-updates

Vulnerability Database

290,273

CVE-2024-2450