CVE-2026-4273: Mattermost doesn't validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation

May 18, 2026 (updated June 1, 2026)

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an authenticated attacker to bypass token rotation and reuse the original invite token via sending a crafted invite confirmation with a RefreshedToken matching the original token. Mattermost Advisory ID: MMSA-2026-00575

References

github.com/advisories/GHSA-hqpj-f3jh-29vx
github.com/mattermost/mattermost/commit/742e0be9507454a7e662668e1d9ec1b94b636e9b
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2026-4273

Code Behaviors & Features

Detect and mitigate CVE-2026-4273 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →