Primary

Context

Mattermost Team Join Permission Vulnerability via OAuth State Manipulation

Vulnerability

Patched

A vulnerability exists in Mattermost versions 10.11.x through 10.11.1, 10.10.x through 10.10.2, and 10.5.x through 10.5.10. These versions fail to properly verify whether a user has the necessary permissions to join a team using an original invite token. This flaw allows any user to join any team on a Mattermost server, bypassing existing restrictions, by manipulating the OAuth state.

Impact

Exploitation of this vulnerability allows users to join teams without proper authorization, potentially leading to unauthorized access to team resources and communications.

Remediation

Users can upgrade to Mattermost version 11.0.0 or 10.12.0, depending on their current version, to address this vulnerability.

Added: Oct 16, 2025, 9:19 AM

Updated: Oct 16, 2025, 3:54 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

7.4

remediation

7.7

relevance

0.7

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

7.4

remediation

7.7

relevance

0.7

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost Team Join Permission Vulnerability via OAuth State Manipulation

Vulnerability

Impact

Remediation

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating