Lucene search
+L

103 matches found

osv
osv
added 2026/05/18 9:31 a.m.10 views

GHSA-HQPJ-F3JH-29VX Mattermost doesn't validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an authenticated attacker to bypass token rotation and reuse the original invite token via sending a craft...

3.7CVSS5.8AI score0.00142EPSS
Exploits0References4
osv
osv
added 2026/05/18 9:31 a.m.11 views

GHSA-8H9W-W78C-VVR3 Mattermost does not verify remote cluster channel access when processing shared channel membership removals

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious remote cluster to remove any user from any channel,...

4.3CVSS5.8AI score0.00152EPSS
Exploits0References4
nvd
nvd
added 2026/05/18 8:16 a.m.15 views

CVE-2026-4273

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an authenticated attacker to bypass token rotation and reuse the original invite token via sending a craft...

4.3CVSS0.00142EPSS
Exploits0References1
nvd
nvd
added 2026/05/18 8:16 a.m.16 views

CVE-2026-28759

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious remote cluster to remove any user from any channel,...

4.3CVSS0.00152EPSS
Exploits0References1
euvd
euvd
added 2026/05/18 6:56 a.m.13 views

EUVD-2026-30740

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an authenticated attacker to bypass token rotation and reuse the original invite token via sending a craft...

3.7CVSS5.8AI score0.00142EPSS
Exploits0References1
cve
cve
added 2026/05/18 6:56 a.m.24 views

CVE-2026-4273

Mattermost contains an insufficient validation flaw in remote cluster invite confirmation. Versions affected: 11.5.x ≤ 11.5.1 and 10.11.x ≤ 10.11.13. The RefreshedToken is not properly checked against the original invite token, allowing an authenticated attacker to bypass token rotation and reuse...

4.3CVSS5.8AI score0.00142EPSS
Exploits0References1Affected Software1
cvelist
cvelist
added 2026/05/18 6:56 a.m.41 views

CVE-2026-4273 Insufficient token rotation validation in remote cluster invite confirmation

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an authenticated attacker to bypass token rotation and reuse the original invite token via sending a craft...

3.7CVSS0.00142EPSS
Exploits0References1
attackerkb
attackerkb
added 2026/05/18 6:56 a.m.10 views

CVE-2026-4273

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an authenticated attacker to bypass token rotation and reuse the original invite token via sending a craft...

3.7CVSS5.8AI score0.00142EPSS
Exploits0References2Affected Software1
vulnrichment
vulnrichment
added 2026/05/18 6:56 a.m.14 views

CVE-2026-4273 Insufficient token rotation validation in remote cluster invite confirmation

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an authenticated attacker to bypass token rotation and reuse the original invite token via sending a craft...

3.7CVSS5.8AI score0.00142EPSS
Exploits0References1
osv
osv
added 2026/05/18 6:56 a.m.3 views

CVE-2026-4273 Insufficient token rotation validation in remote cluster invite confirmation

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an authenticated attacker to bypass token rotation and reuse the original invite token via sending a craft...

3.7CVSS6AI score0.00142EPSS
Exploits0References3
cvelist
cvelist
added 2026/05/18 6:50 a.m.48 views

CVE-2026-28759 Insufficient authorization in shared channel membership sync allows remote cluster to remove users from arbitrary channels

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious remote cluster to remove any user from any channel,...

4.3CVSS0.00152EPSS
Exploits0References1
vulnrichment
vulnrichment
added 2026/05/18 6:50 a.m.9 views

CVE-2026-28759 Insufficient authorization in shared channel membership sync allows remote cluster to remove users from arbitrary channels

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious remote cluster to remove any user from any channel,...

4.3CVSS5.8AI score0.00152EPSS
Exploits0References1
attackerkb
attackerkb
added 2026/05/18 6:50 a.m.10 views

CVE-2026-28759

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious remote cluster to remove any user from any channel,...

4.3CVSS5.8AI score0.00152EPSS
Exploits0References2Affected Software1
osv
osv
added 2026/05/18 6:50 a.m.4 views

CVE-2026-28759 Insufficient authorization in shared channel membership sync allows remote cluster to remove users from arbitrary channels

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious remote cluster to remove any user from any channel,...

4.3CVSS6AI score0.00152EPSS
Exploits0References3
ptsecurity
ptsecurity
added 2026/05/18 12:0 a.m.16 views

PT-2026-41640

Name of the Vulnerable Software and Affected Versions Mattermost versions 11.5.0 through 11.5.1 Mattermost versions 10.11.0 through 10.11.13 Mattermost versions 11.4.0 through 11.4.3 Description An issue exists during shared channel membership sync where the system fails to validate if a remote...

4.3CVSS5.9AI score0.00152EPSS
Exploits0References8
ptsecurity
ptsecurity
added 2026/05/18 12:0 a.m.13 views

PT-2026-41643

Name of the Vulnerable Software and Affected Versions Mattermost versions 11.5.0 through 11.5.1 Mattermost versions 10.11.0 through 10.11.13 Description Insufficient token rotation validation occurs during remote cluster invite confirmation. An authenticated attacker can bypass token rotation and...

4.3CVSS5.9AI score0.00142EPSS
Exploits0References9
github
github
added 2026/03/26 12:30 p.m.6 views

Mattermost has an Incorrect Authorization issue

Mattermost versions 11.2.x = 11.2.2, 10.11.x = 10.11.10, 11.4.x = 11.4.0, 11.3.x = 11.3.1 fail to restrict team-level access when processing membership sync from a remote cluster, which allows a malicious remote cluster to grant a user access to an entire private team instead of only the shared...

5.4CVSS5.9AI score0.00141EPSS
Exploits0References3Affected Software1
euvd
euvd
added 2026/03/26 12:30 p.m.5 views

EUVD-2026-16162

Mattermost versions 11.2.x = 11.2.2, 10.11.x = 10.11.10, 11.4.x = 11.4.0, 11.3.x = 11.3.1 fail to restrict team-level access when processing membership sync from a remote cluster, which allows a malicious remote cluster to grant a user access to an entire private team instead of only the shared...

5.4CVSS5.8AI score0.00141EPSS
Exploits0References2
osv
osv
added 2026/03/26 12:30 p.m.4 views

GHSA-G7FP-CQJ5-X8HF Mattermost has an Incorrect Authorization issue

Mattermost versions 11.2.x = 11.2.2, 10.11.x = 10.11.10, 11.4.x = 11.4.0, 11.3.x = 11.3.1 fail to restrict team-level access when processing membership sync from a remote cluster, which allows a malicious remote cluster to grant a user access to an entire private team instead of only the shared...

5.4CVSS5.9AI score0.00141EPSS
Exploits0References3
snyk
snyk
added 2026/03/26 12:25 p.m.2 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the membership synchronization process. An attacker can gain unauthorized access to an entire private team by sending crafted membership synchronization messages from a remote cluster that trigger team...

5.4CVSS6AI score0.00141EPSS
Exploits0References2
Rows per page
Query Builder