CVE-2025-13324
LOW
3.7
Our Analysis: General-Purpose
Our model has classified this vulnerability as relevant to General-Purpose Systems, helping your team prioritize efforts effectively.
Published Date
December 17, 2025
Last Modified
December 29, 2025
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Description
Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to authenticate as the remote cluster and perform limited actions on shared channels even after the invitation has been legitimately confirmed.