Primary

Context

Mattermost OpenID User Identity Validation Vulnerability Allowing Account Takeover

Vulnerability

Patched

A vulnerability exists in Mattermost versions 11.4.x through 11.4.0, 11.3.x through 11.3.1, 11.2.x through 11.2.3, and 10.11.x through 10.11.11. The issue arises from improper validation of user identity in the OpenID comparison logic, specifically in the user discovery process. This flaw allows an attacker to take over user accounts by exploiting an overly permissive substring matching error.

Impact

Exploitation of this vulnerability allows for unauthorized account takeover.

Remediation

Users can upgrade to Mattermost versions 11.5.0 or 11.6.0 to address this vulnerability.

Added: Mar 25, 2026, 7:20 PM

Updated: Mar 25, 2026, 7:20 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

5.0

exploitability

7.4

remediation

7.7

relevance

4.7

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

5.0

exploitability

7.4

remediation

7.7

relevance

4.7

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost OpenID User Identity Validation Vulnerability Allowing Account Takeover

Vulnerability

Impact

Remediation

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating