CVE-2025-6227

Mattermost versions 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that intercepts both invite and password to send synchronization payloads to the server that originally created the invite via the REST API.

CVSS v3 2.2 LOW

2.2^/10

CVSS v3 : LOW

Vector :

Exploitability : 0.7 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://mattermost.com/security-updates	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mattermost:mattermost_server::::::::
	cpe:2.3:a:mattermost:mattermost_server::::::::

History

14 Oct 2025, 14:32

Type	Values Removed	Values Added
First Time		Mattermost mattermost Server Mattermost
References	~~() https://mattermost.com/security-updates -~~	() https://mattermost.com/security-updates - Vendor Advisory
CPE		cpe:2.3:a:mattermost:mattermost_server::::::::

22 Jul 2025, 13:06

Type	Values Removed	Values Added
Summary		(es) Las versiones de Mattermost 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 no pueden negociar un nuevo token al aceptar la invitación, lo que permite que un usuario que intercepta tanto la invitación como la contraseña envíe payloads de sincronización al servidor que creó originalmente la invitación a través de la API REST.

18 Jul 2025, 12:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-18 12:15

Updated : 2025-10-14 14:32

NVD link : CVE-2025-6227

Mitre link : CVE-2025-6227

CVE.ORG link : CVE-2025-6227

JSON object : View

Products Affected

mattermost

mattermost_server

CWE

CWE-522

Insufficiently Protected Credentials

{"id": "CVE-2025-6227", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "responsibledisclosure@mattermost.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.2, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 0.7}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.6}]}, "published": "2025-07-18T12:15:23.843", "references": [{"url": "https://mattermost.com/security-updates", "tags": ["Vendor Advisory"], "source": "responsibledisclosure@mattermost.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "responsibledisclosure@mattermost.com", "description": [{"lang": "en", "value": "CWE-522"}]}], "descriptions": [{"lang": "en", "value": "Mattermost versions 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that intercepts both invite and password to send synchronization payloads to the server that originally created the invite via the REST API."}, {"lang": "es", "value": "Las versiones de Mattermost 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 no pueden negociar un nuevo token al aceptar la invitaci\u00f3n, lo que permite que un usuario que intercepta tanto la invitaci\u00f3n como la contrase\u00f1a env\u00ede payloads de sincronizaci\u00f3n al servidor que cre\u00f3 originalmente la invitaci\u00f3n a trav\u00e9s de la API REST."}], "lastModified": "2025-10-14T14:32:24.033", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3F117291-CF45-4790-8BEB-E51DB0BAEF82", "versionEndExcluding": "9.11.17", "versionStartIncluding": "9.11.0"}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "86CE4B65-61C3-4994-88AB-06AC79F92965", "versionEndExcluding": "10.5.8", "versionStartIncluding": "10.5.0"}], "operator": "OR"}]}], "sourceIdentifier": "responsibledisclosure@mattermost.com"}