Primary

Context

Mattermost Invite Token Replay Vulnerability Allowing Channel Membership Manipulation

Vulnerability

Patched

A vulnerability exists in Mattermost versions 10.11.x prior to 10.11.5, 11.0.x prior to 11.0.4, and 10.12.x prior to 10.12.2. These versions fail to invalidate invite tokens after they have been used, which can allow malicious actors who have intercepted these tokens to manipulate channel memberships. This includes the ability to add or remove users from private channels by replaying the tokens.

Impact

Exploitation of this vulnerability could lead to unauthorized manipulation of channel memberships, allowing for the addition or removal of users from private channels.

Remediation

Users can upgrade to Mattermost versions 11.1.0, 11.1.4, or 10.12.3 to address this vulnerability.

Added: Dec 17, 2025, 7:28 PM

Updated: Dec 17, 2025, 7:28 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

6.2

remediation

7.7

relevance

1.5

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

6.2

remediation

7.7

relevance

1.5

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost Invite Token Replay Vulnerability Allowing Channel Membership Manipulation

Vulnerability

Impact

Remediation

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating