CVE-2025-6227 LOW

CVE-2025-6227: Invite token is used as part of the secure communication

Vendor Mattermost
Product Mattermost
Weakness CWE-522 · Insufficiently protected credentials
Published July 18, 2025
Last update July 18, 2025

CVSS base score

2.2/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Mattermost versions 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that intercepts both invite and password to send synchronization payloads to the server that originally created the invite via the REST API.

Key dates

02Disclosure timeline

July 18, 2025 CVE published
July 18, 2025 Record updated