Primary

Context

Mattermost Mobile Apps SSO Token Verification Vulnerability Allowing Session Credential Theft

Vulnerability

A vulnerability exists in Mattermost Mobile Apps in versions through 2.32.0, where the applications do not properly verify that Single Sign-On (SSO) redirect tokens come from a trusted server. This flaw enables a malicious Mattermost instance or an on-path attacker to intercept user session credentials by sending crafted tokens in URL responses.

Impact

Exploitation of this vulnerability allows for the theft of user session credentials, potentially leading to unauthorized access to user accounts.

Remediation

Users can upgrade to Mattermost Mobile Apps version 2.32.1 or later to address this vulnerability.

Added: Nov 13, 2025, 6:17 PM

Updated: Nov 13, 2025, 6:17 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

4.0

remediation

0.0

relevance

1.0

threat

0.0

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

4.0

remediation

0.0

relevance

1.0

threat

0.0

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost Mobile Apps SSO Token Verification Vulnerability Allowing Session Credential Theft

Vulnerability

Impact

Remediation

Affected Products

Mattermost Mobile Apps

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating