Vulnerability Database

319,561

Total vulnerabilities in the database

CVE-2025-13324

Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to authenticate as the remote cluster and perform limited actions on shared channels even after the invitation has been legitimately confirmed.

Published: Dec 17, 2025
Updated: Dec 25, 2025
CVE: CVE-2025-13324
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 3.7
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

CWEs:

CWE-863

Affected Software
References

Software	From	Fixed in
mattermost / mattermost_server	10.11.0	10.11.6
mattermost / mattermost_server	10.12.0	10.12.3
mattermost / mattermost_server	11.0.0	11.0.5

https://mattermost.com/security-updates

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo