GHSA-x3r8-2hmh-89f5

Source

https://github.com/advisories/GHSA-x3r8-2hmh-89f5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-x3r8-2hmh-89f5/GHSA-x3r8-2hmh-89f5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-x3r8-2hmh-89f5

Aliases

Published

2025-12-17T21:30:48Z

Modified

2025-12-30T02:26:00.406815Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation

Details

Mattermost versions 10.11.x < 10.11.5, 11.0.x < 11.0.4, 10.12.x < 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to authenticate as the remote cluster and perform limited actions on shared channels even after the invitation has been legitimately confirmed.

Database specific

{
    "cwe_ids": [
        "CWE-863"
    ],
    "severity": "MODERATE",
    "nvd_published_at": "2025-12-17T19:16:01Z",
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-20T17:27:10Z"
}

References

Affected packages

Go

github.com/mattermost/mattermost

Package

Name: github.com/mattermost/mattermost; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost

Affected ranges

Type: SEMVER
Events: Introduced

10.12.0

Fixed

10.12.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-x3r8-2hmh-89f5/GHSA-x3r8-2hmh-89f5.json"

github.com/mattermost/mattermost

Package

Name: github.com/mattermost/mattermost; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost

Affected ranges

Type: SEMVER
Events: Introduced

10.11.0-rc1

Fixed

10.11.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-x3r8-2hmh-89f5/GHSA-x3r8-2hmh-89f5.json"

github.com/mattermost/mattermost

Package

Name: github.com/mattermost/mattermost; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost

Affected ranges

Type: SEMVER
Events: Introduced

11.0.0-alpha.1

Fixed

11.0.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-x3r8-2hmh-89f5/GHSA-x3r8-2hmh-89f5.json"

github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.0.0-20251031095924-e7e23b94e006

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-x3r8-2hmh-89f5/GHSA-x3r8-2hmh-89f5.json"

github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

11.0.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-x3r8-2hmh-89f5/GHSA-x3r8-2hmh-89f5.json"

last_known_affected_version_range

"< 5.3.2-0.20251028000919-d3ed703dc833"