Mattermost versions 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that intercepts both invite and password to send synchronization payloads to the server that originally created the invite via the REST API.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| github.com/mattermost/mattermost-server(Go) | 10.5.0 | 10.5.8 | N/A |
| github.com/mattermost/mattermost-server(Go) | 9.11.0 | 9.11.17 | N/A |
| github.com/mattermost/mattermost/server/v8(Go) | 0 | 8.0.0-20250612074655-8f8612c63783 | N/A |
CVSS Metrics
