Base Score

HIGH8.1

CVE-2025-58073

Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the OAuth state.

VectorNETWORK

Published Byresponsibledisclosure@mattermost.com

Published DateOct 16, 2025, 09:15

Affected Versions(4)

github.com/mattermost/mattermost/server/v8(Go)

Introduced0

Fixed8.0.0-20250807174701-e14175eb6539

LimitN/A

github.com/mattermost/mattermost-server(Go)

Introduced10.11.0

Fixed10.11.2

LimitN/A

github.com/mattermost/mattermost-server(Go)

Introduced10.10.0

Fixed10.10.3

LimitN/A

github.com/mattermost/mattermost-server(Go)

Introduced10.5.0

Fixed10.5.11

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
github.com/mattermost/mattermost/server/v8(Go)	0	8.0.0-20250807174701-e14175eb6539	N/A
github.com/mattermost/mattermost-server(Go)	10.11.0	10.11.2	N/A
github.com/mattermost/mattermost-server(Go)	10.10.0	10.10.3	N/A
github.com/mattermost/mattermost-server(Go)	10.5.0	10.5.11	N/A

Weakness Type (CWE):CWE-862

CVSS Metrics

Base Score

8.1

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

NONE

References

https://mattermost.com/security-updates

Base Score

HIGH8.1

Weakness Type (CWE):CWE-862

CVSS Metrics

Base Score

8.1

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

NONE