CVE-2026-4273 Mattermost CVE debrief

Who should care

Mattermost Server administrators operating multi-cluster deployments with remote cluster invite functionality enabled; security teams responsible for identity and access management in Mattermost environments; compliance officers tracking token lifecycle management controls.

Technical summary

The vulnerability exists in the remote cluster invite confirmation handler where the server fails to validate that a newly generated RefreshedToken is distinct from the original invite token. An authenticated attacker can exploit this by crafting an invite confirmation request where the RefreshedToken field equals the original token value. This causes the server to accept the confirmation while preserving the original token's validity, effectively nullifying the security benefit of token rotation. The attack requires network access to the Mattermost server and knowledge of the original invite token, but does not require user interaction. The integrity impact is limited (low) as the attack does not enable privilege escalation beyond the scope of the original invite token's intended use.

Defensive priority

low

Recommended defensive actions

• Upgrade Mattermost Server to version 10.11.14 or later, or version 11.5.2 or later, to remediate this vulnerability.
• Review remote cluster invite confirmation workflows for any anomalous token reuse patterns in audit logs.
• Verify that security update channels are configured to receive Mattermost security advisories promptly.

Evidence notes

Vulnerability confirmed via NVD CPE criteria and Mattermost vendor advisory. Affected versions explicitly listed as 10.11.0 through 10.11.13 and 11.5.0 through 11.5.1. CVSS vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N sourced from NVD. CWE-863 classification from vendor disclosure.

Official resources