6.5
CVE-2026-3590
- EPSS 0.03%
- Veröffentlicht 15.04.2026 11:00:14
- Zuletzt bearbeitet 22.04.2026 19:41:52
- Quelle responsibledisclosure@mattermo
- CVE-Watchlists
- Unerledigt
Race Condition in Guest Magic Link Authentication Allows Token Reuse
Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to enforce atomic single-use consumption of guest magic link tokens, which allows an attacker with access to a valid magic link to establish multiple independent authenticated sessions via concurrent requests.. Mattermost Advisory ID: MMSA-2026-00624
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Mattermost ≫ Mattermost Server Version >= 10.11.0 < 10.11.13
Mattermost ≫ Mattermost Server Version >= 11.3.0 < 11.3.3
Mattermost ≫ Mattermost Server Version >= 11.4.0 < 11.4.3
Mattermost ≫ Mattermost Server Version >= 11.5.0 < 11.5.1
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.03% | 0.1 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| responsibledisclosure@mattermost.com | 6.5 | 3.9 | 2.5 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
|
CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.