Primary

Context

Mattermost Team Join Permission Vulnerability via Manipulated Invite Token

Vulnerability

Patched

A vulnerability exists in Mattermost versions 10.11.x through 10.11.1, 10.10.x through 10.10.2, and 10.5.x through 10.5.10. These versions fail to properly verify a user's permission to join a team using the original invite token. This flaw allows any user to join any team on a Mattermost server, bypassing existing restrictions, by manipulating the RelayState.

Impact

Exploitation of this vulnerability allows unauthorized users to join teams on the Mattermost server, disregarding any access restrictions that may be in place.

Remediation

Users can upgrade to Mattermost version 11.0.0 or 10.12.1, depending on their current version, to address this vulnerability.

Added: Oct 16, 2025, 9:19 AM

Updated: Oct 16, 2025, 3:53 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

7.4

remediation

7.7

relevance

0.7

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

7.4

remediation

7.7

relevance

0.7

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost Team Join Permission Vulnerability via Manipulated Invite Token

Vulnerability

Impact

Remediation

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating