Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to invalidate the cache when a user account is converted to a bot which allows an attacker to login to the bot exactly one time via normal credentials.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| github.com/mattermost/mattermost/server/v8(Go) | 10.5.0 | 10.5.2 | N/A |
| github.com/mattermost/mattermost/server/v8(Go) | 9.11.0 | 9.11.10 | N/A |
| github.com/mattermost/mattermost/server/v8(Go) | 0 | 8.0.0-20250220161544-fd356b62b4dd | N/A |
CVSS Metrics
