CVE-2026-4273 LOW

CVE-2026-4273: Insufficient token rotation validation in remote cluster invite confirmation

Vendor Mattermost
Product Mattermost
Weakness CWE-863 · Incorrect authorization
Published May 18, 2026
Last update May 18, 2026

CVSS base score

3.7/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an authenticated attacker to bypass token rotation and reuse the original invite token via sending a crafted invite confirmation with a RefreshedToken matching the original token. Mattermost Advisory ID: MMSA-2026-00575

Key dates

02Disclosure timeline

May 18, 2026 CVE published
May 18, 2026 Record updated