2 matches found
CVE-2026-4273 Insufficient token rotation validation in remote cluster invite confirmation
Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an authenticated attacker to bypass token rotation and reuse the original invite token via sending a craft...
Insufficiently Protected Credentials
Overview Affected versions of this package are vulnerable to Insufficiently Protected Credentials via the invite mechanism for remote clusters. An attacker can send unauthorized synchronization payloads by intercepting both the invite and password during the invitation process. Remediation Upgrad...