Mattermost 10.11.x-10.11.5 & 11.0.x-11.0.4: Invite Token Replay Enables Channel Control
CVE-2025-13324 Published on December 17, 2025
Lack of Invalidation of Legacy Remote Cluster Invite Tokens After Confirmation
Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to authenticate as the remote cluster and perform limited actions on shared channels even after the invitation has been legitimately confirmed.
Vulnerability Analysis
CVE-2025-13324 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is an AuthZ Vulnerability?
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
CVE-2025-13324 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2025-13324
Want to know whenever a new CVE is published for MatterMost? stack.watch will email you.
Affected Versions
Mattermost:- Version 10.11.0, <= 10.11.5 is affected.
- Version 11.0.0, <= 11.0.4 is affected.
- Version 10.12.0, <= 10.12.2 is affected.
- Version 11.1.0 is unaffected.
- Version 10.11.6 is unaffected.
- Version 11.0.5 is unaffected.
- Version 10.12.3 is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.