CVE-2025-13324

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-13324

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-13324.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-13324

Aliases

Downstream

SUSE-SU-2026:0037-1

Related

SUSE-SU-2026:0037-1

Published

2025-12-17T19:16:01.093Z

Modified

2026-04-09T10:34:07.576873Z

Severity

3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

[none]

Details

Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to authenticate as the remote cluster and perform limited actions on shared channels even after the invitation has been legitimately confirmed.

References

https://mattermost.com/security-updates

Affected packages

Git / github.com/mattermost/mattermost-server

Affected ranges

Type

GIT

Repo

https://github.com/mattermost/mattermost-server

Events

Introduced

5b955468ea1ea8b56c0fb10feb258a36a767d7bb

Fixed

e7e23b94e0060019d73e678578c57b4838ac12f3

Introduced

ba3dc1612ce8f37bf9814b1ea6364181fb5abd62

Fixed

09ae989823a456a6831eca1eb4f49c71589dafab

Introduced

Fixed

33fcf2d87f96ed29b1196d3ebb22202ed86712c9

Database specific

{
    "versions": [
        {
            "introduced": "10.11.0"
        },
        {
            "fixed": "10.11.6"
        },
        {
            "introduced": "10.12.0"
        },
        {
            "fixed": "10.12.3"
        },
        {
            "introduced": "11.0.0"
        },
        {
            "fixed": "11.0.5"
        }
    ]
}

Affected versions

@mattermost/client@10.*

@mattermost/client@10.11.0

@mattermost/client@10.12.0

@mattermost/client@11.*

@mattermost/client@11.0.4

@mattermost/types@10.*

@mattermost/types@10.11.0

@mattermost/types@10.12.0

@mattermost/types@11.*

@mattermost/types@11.0.4

Other

cloud-2022-07-20-1

cloud-2022-08-10-1

cloud-2022-09-08-1

cloud-2022-10-06-1

cloud-2022-11-11-1

cloud-2022-11-24-1

mattermost-redux@10.*

mattermost-redux@10.11.0

mattermost-redux@10.12.0

mattermost-redux@11.*

mattermost-redux@11.0.4

preview-v0.*

preview-v0.1

server/public/v0.*

server/public/v0.0.10

server/public/v0.0.11

server/public/v0.0.12

server/public/v0.0.13

server/public/v0.0.14

server/public/v0.0.15

server/public/v0.0.16

server/public/v0.0.17

server/public/v0.0.18

server/public/v0.0.5

server/public/v0.0.6

server/public/v0.0.7

server/public/v0.0.8

server/public/v0.0.9

server/public/v0.1.0

server/public/v0.1.1

server/public/v0.1.10

server/public/v0.1.11

server/public/v0.1.12

server/public/v0.1.13

server/public/v0.1.14

server/public/v0.1.15

server/public/v0.1.16

server/public/v0.1.17

server/public/v0.1.18

server/public/v0.1.19

server/public/v0.1.2

server/public/v0.1.3

server/public/v0.1.4

server/public/v0.1.5

server/public/v0.1.6

server/public/v0.1.7

server/public/v0.1.8

server/public/v0.1.9

v0.*

v0.5.0

v10.*

v10.11.0

v10.11.0-rc3

v10.11.1

v10.11.1-rc1

v10.11.2

v10.11.2-rc1

v10.11.2-rc2

v10.11.3

v10.11.4

v10.11.4-rc1

v10.11.4-rc2

v10.11.4-rc3

v10.11.5

v10.12.0

v10.12.1

v10.12.1-rc1

v10.12.2

v11.*

v11.0.0-alpha.1

v11.0.1

v11.0.1-rc1

v11.0.1-rc2

v11.0.1-rc3

v11.0.2

v11.0.3

v11.0.3-rc1

v11.0.4

v4.*

v4.10.0-rc1

v4.2.0-rc1

v4.3.0-rc1

v4.4.0-rc1

v4.5.0-rc1

v4.6.0-rc1

v4.6.0-rc2

v4.7.0-rc1

v4.8.0-rc1

v4.9.0-rc1

v5.*

v5.0.0-rc1

v5.1.0-rc1

v5.2.0-rc1

v5.2.0-rc2

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-13324.json"