PatchSiren cyber security CVE debrief
CVE-2026-22880 Mattermost CVE debrief
CVE-2026-22880 describes an SSO callback origin validation weakness in Mattermost Mobile Apps. According to the NVD entry and Mattermost reference, a malicious Mattermost server can abuse the mobile app’s SSO flow to relay the authentication exchange and capture credentials or tokens intended for a legitimate server. The issue is publicly disclosed with CWE-352 context and a CVSS 3.1 score of 6.1 (medium).
- Vendor
- Mattermost
- Product
- Unknown
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Organizations using Mattermost Mobile Apps for SSO-based sign-in should pay attention, especially if users can connect to multiple Mattermost servers or if mobile devices may be directed to untrusted or attacker-controlled servers. Security teams managing Mattermost deployments, identity integrations, and mobile app update policies should review exposure.
Technical summary
NVD describes the flaw as improper validation of the SSO authentication callback origin. In practical terms, the mobile app can be tricked into accepting an authentication callback from an attacker-controlled Mattermost server, allowing relay of the SSO code exchange flow. NVD maps the weakness to CWE-352 and rates the vector as AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N.
Defensive priority
Medium. The issue requires user interaction and a malicious or controlled server context, but the confidentiality impact can be high because it may expose authentication material or session-related secrets during SSO. Prioritize if mobile SSO is used broadly or if users connect to third-party or externally managed Mattermost servers.
Recommended defensive actions
- Review Mattermost’s security updates page referenced in the advisory and apply the fixed mobile app versions when available.
- Restrict mobile clients to trusted Mattermost server endpoints and avoid allowing users to authenticate against untrusted or unexpected servers.
- Audit SSO configuration and callback handling to ensure origin validation and redirect handling are enforced consistently.
- Monitor for anomalous SSO login attempts or unusual server-switching behavior from mobile clients.
- Validate enterprise mobile management policies so Mattermost app updates can be rolled out promptly.
Evidence notes
Based only on the supplied corpus: NVD records CVE-2026-22880 with status 'Received', CVSS 3.1 vector AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N, and CWE-352 supplied by the reporter. The NVD reference list includes Mattermost’s security updates page. The description explicitly states that improper validation of the SSO authentication callback origin can let an attacker controlling a malicious Mattermost server relay the SSO code exchange through the mobile app.
Official resources
-
CVE-2026-22880 CVE record
CVE.org
-
CVE-2026-22880 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Publicly disclosed in NVD on 2026-05-21. The supplied NVD record references a Mattermost security updates page and identifies the issue as related to Mattermost Mobile Apps; no KEV listing was supplied.