CVEFinder.io

CVE-2026-4273

ℹī¸ low
🔍 Scan for this CVE
Summary

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an authenticated attacker to bypass token rotation and reuse the original invite token via sending a crafted invite confirmation with a RefreshedToken matching the original token. Mattermost Advisory ID: MMSA-2026-00575

CVSS Score
3.7
Low
EPSS Score
0.0
Exploit Probability
Published Date
2026-05-18
First Seen: 2026-05-19
📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 4.0% of all 327,350 vulnerabilities in our database.

#314,298
Below average severity
Severity Percentile
đŸŽ¯ CISA SSVC Assessment Updated: May 18, 2026
🔍 Exploitation Status
None
No known exploits
⚙ī¸ Automatable
NO
Requires human interaction
đŸ’Ĩ Technical Impact
Partial
Limited system impact
🏆 Discovered By
daw10
SSVC data provided by CISA
Last Modified 2026-05-19
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE IDs (Weakness Types)
CWE-863

đŸ“Ļ Affected Products 2

Vendor Product Status Affected Versions
mattermost mattermost_server Affected
> 10.11.0 < 10.11.14
mattermost mattermost_server Affected
> 11.5.0 < 11.5.2

🔗 References 1

https://mattermost.com/security-updates
Vendor Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-4915 đŸ”ļ medium 6.5 0.1 Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to filter nil element... 2026-05-25
CVE-2026-3473 đŸ”ļ medium 5.9 0.0 Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate file owne... 2026-05-22
CVE-2026-3636 đŸ”ļ medium 4.3 0.0 Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to sanitize team memb... 2026-05-22
CVE-2026-4635 đŸ”ļ medium 6.5 0.0 Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to archive the channe... 2026-05-22
CVE-2026-4646 đŸ”ļ medium 4.3 0.1 Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate user-supp... 2026-05-22
CVE-2026-5308 đŸ”ļ medium 4.9 0.1 Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to enforce request bo... 2026-05-22
These CVEs affect the same products