CVE-2025-13324 LOW

CVE-2025-13324: Lack of Invalidation of Legacy Remote Cluster Invite Tokens After Confirmation

Vendor Mattermost
Product Mattermost
Weakness CWE-863 · Incorrect authorization
Published December 17, 2025
Last update December 24, 2025

CVSS base score

3.7/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to authenticate as the remote cluster and perform limited actions on shared channels even after the invitation has been legitimately confirmed.

Key dates

02Disclosure timeline

December 17, 2025 CVE published
December 24, 2025 Record updated