CVE-2025-13324

Mattermost versions 10.11.x = 10.11.5, 11.0.x = 11.0.4, 10.12.x = 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy version 1 protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to...

EUVD-2025-203920

Mattermost versions 10.11.x = 10.11.5, 11.0.x = 11.0.4, 10.12.x = 10.12.2 fail to invalidate invite tokens after use which allows malicious actors who have intercepted invite tokens to manipulate channel memberships including adding or removing users from private channels via token replay attack...

Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation

Mattermost versions 10.11.x 10.11.5, 11.0.x 11.0.4, 10.12.x 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy version 1 protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to authenticate a...

CVE-2025-13324

Mattermost versions 10.11.x = 10.11.5, 11.0.x = 11.0.4, 10.12.x = 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy version 1 protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization involving invite tokens. An attacker can manipulate channel memberships, including adding or removing users from private channels, by replaying intercepted tokens. Remediation Upgrade...

CVE-2025-13324 Lack of Invalidation of Legacy Remote Cluster Invite Tokens After Confirmation

Mattermost versions 10.11.x = 10.11.5, 11.0.x = 11.0.4, 10.12.x = 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy version 1 protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to...

CVE-2025-13324 Lack of Invalidation of Legacy Remote Cluster Invite Tokens After Confirmation

Mattermost versions 10.11.x = 10.11.5, 11.0.x = 11.0.4, 10.12.x = 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy version 1 protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to...

CVE-2025-13324

CVE-2025-13324 affects Mattermost server versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, and 10.12.x

PT-2025-51854

Mattermost versions 10.11.x = 10.11.5, 11.0.x = 11.0.4, 10.12.x = 10.12.2 fail to invalidate invite tokens after use which allows malicious actors who have intercepted invite tokens to manipulate channel memberships including adding or removing users from private channels via token replay attack...

CVE-2025-66223 OpenObserve's Invite Token Lifecycle Misconfiguration

OpenObserve is a cloud-native observability platform. Prior to version 0.16.0, organization invitation tokens do not expire once issued, remain valid even after the invited user is removed from the organization, and allow multiple invitations to the same email with different roles where all issue...

CVE-2025-66223 OpenObserve's Invite Token Lifecycle Misconfiguration

OpenObserve is a cloud-native observability platform. Prior to version 0.16.0, organization invitation tokens do not expire once issued, remain valid even after the invited user is removed from the organization, and allow multiple invitations to the same email with different roles where all issue...

CVE-2025-66223

OpenObserve (cloud-native observability platform) before v0.16.0 is affected by an access-control issue in the invitation token lifecycle. Tokens did not expire, remained valid after a user was removed, and allowed multiple invitations to the same email with different roles—resulting in a removed...

CVE-2025-58073

Mattermost versions 10.11.x = 10.11.1, 10.10.x = 10.10.2, 10.5.x = 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the OAuth state...

Mattermost 安全漏洞

Mattermost is an open source collaboration platform from Mattermost, Inc. in the United States. A security vulnerability in Mattermost versions 10.11.1 and prior to 10.11.x, 10.10.2 and prior to 10.10.x, and 10.5.10 and prior to 10.5.x stems from an unvalidated user's privilege to join a Mattermo...

PT-2024-37377 · Lunary · Lunary

Name of the Vulnerable Software and Affected Versions: lunary-ai/lunary versions prior to commit 844e8855c7a713dc7371766dba4125de4007b1cf Description: An improper access control issue exists, allowing attackers to use auth tokens from the 'invite user' functionality to obtain valid JWT tokens...

GitHub: Invite tokens have Insufficient entropy in GHES Management Console

An insufficient entropy vulnerability in GitHub Enterprise Server invitation tokens allowed brute force attacks against pending user invitations to the management console. This affected all versions since 3.8 and was fixed in 3.8.12, 3.9.7, 3.10.4, and 3.11.1...