Primary

Context

Mattermost MSTeams Plugin OAuth Vulnerability Allowing Arbitrary Post Edits

Vulnerability

Patched

A vulnerability exists in Mattermost versions 10.11.x through 10.11.3, 10.5.x through 10.5.11, and 10.12.x through 10.12.0. The issue arises from a failure to properly validate the relationship between posts being updated and the MSTeams plugin OAuth flow. This flaw enables an attacker to edit arbitrary posts by using a crafted OAuth redirect URL from the MSTeams plugin.

Impact

Exploitation of this vulnerability allows for unauthorized editing of posts within Mattermost.

Remediation

Users can upgrade to Mattermost versions 11.1.011.0.310.12.210.11.510.5.13 or 11.0.0 to address this vulnerability.

Added: Nov 14, 2025, 9:10 AM

Updated: Nov 14, 2025, 9:10 AM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

4.8

remediation

7.7

relevance

1.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

4.8

remediation

7.7

relevance

1.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost MSTeams Plugin OAuth Vulnerability Allowing Arbitrary Post Edits

Vulnerability

Impact

Remediation

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating