Mattermost Multi-Version Vulnerability Allowing MFA Bypass on Plugin Endpoints

Vulnerability

A vulnerability exists in Mattermost versions 10.4.x through 10.4.2, 10.3.x through 10.3.3, and 9.11.x through 9.11.8, as well as in version 10.5.0. These versions fail to properly enforce multi-factor authentication (MFA) on plugin-specific API endpoints. This oversight enables authenticated attackers to bypass MFA protections by sending requests to these vulnerable plugin routes.

Impact

Exploitation of this vulnerability allows authenticated attackers to bypass multi-factor authentication protections on plugin-specific API endpoints.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

5.0

exploitability

5.2

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

5.0

exploitability

5.2

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost Multi-Version Vulnerability Allowing MFA Bypass on Plugin Endpoints

Vulnerability

Impact

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating