Headline
GHSA-x3r8-2hmh-89f5: Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation
Mattermost versions 10.11.x < 10.11.5, 11.0.x < 11.0.4, 10.12.x < 10.12.2 fail to invalidate invite tokens after use which allows malicious actors who have intercepted invite tokens to manipulate channel memberships including adding or removing users from private channels via token replay attack.
Skip to content
Navigation Menu
AI CODE CREATION
GitHub CopilotWrite better code with AI
GitHub SparkBuild and deploy intelligent apps
GitHub ModelsManage and compare prompts
MCP RegistryNewIntegrate external tools
View all features
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
Appearance settings
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-13324
Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation
Moderate severity GitHub Reviewed Published Dec 17, 2025 to the GitHub Advisory Database • Updated Dec 20, 2025
Package
gomod github.com/mattermost/mattermost (Go)
Affected versions
>= 10.12.0, < 10.12.2
>= 10.11.0-rc1, < 10.11.5
>= 11.0.0-alpha.1, < 11.0.4
Patched versions
10.12.2
10.11.5
11.0.4
gomod github.com/mattermost/mattermost-server (Go)
< 5.3.2-0.20251028000919-d3ed703dc833
gomod github.com/mattermost/mattermost/server/v8 (Go)
< 8.0.0-20251031095924-e7e23b94e006
8.0.0-20251031095924-e7e23b94e006
Description
Published to the GitHub Advisory Database
Dec 17, 2025
Last updated
Dec 20, 2025