Zero Day MonitorZDM

← Back to list

6.5

CVE-2026-3590EXPLOITEDPATCHED

mattermost · mattermost

Race Condition in Guest Magic Link Authentication Allows Token Reuse

Description

Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to enforce atomic single-use consumption of guest magic link tokens, which allows an attacker with access to a valid magic link to establish multiple independent authenticated sessions via concurrent requests.. Mattermost Advisory ID: MMSA-2026-00624

Affected Products

Vendor	Product	Versions
mattermost	mattermost	10.11.0, 11.5.0, 11.4.0, 11.3.0, 10.11.15, 11.4.5, 11.5.4, 11.6.1

References

https://mattermost.com/security-updates(vendor-advisory)

Related News (5 articles)

Tier B

BSI Advisories4h ago

[NEU] [mittel] Mattermost: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff

→ No new info (linked only)

Tier B

CERT-FR14h ago

Vulnérabilité dans Mattermost Server (20 avril 2026)

→ No new info (linked only)

Tier B

BSI Advisories4d ago

[NEU] [mittel] Mattermost: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff

→ No new info (linked only)

Tier B

CERT-FR4d ago

Multiples vulnérabilités dans Mattermost Server (16 avril 2026)

→ No new info (linked only)

Tier C

VulDB5d ago

CVE-2026-3590 | Mattermost up to 10.11.12/11.3.2/11.4.2/11.5.0 toctou

→ No new info (linked only)

CVSS 3.16.5 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

11.6.1

CWECWE-367

PublishedApr 15, 2026

Last enriched2h agov3

Tags

multiple vulnerabilitiesmattermostsecurity bulletin

Trending Score72

Source articles5

Independent3

Info Completeness10/14

Missing: epss, kev, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

MEDIUMCVE-2026-28741EXP

CSRF Protection Bypass Allows Updating a User's Authentication Method

MEDIUMCVE-2026-4265

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to validate team-specific upload_file permissions which allows a guest user to post files in channels where they lack u

HIGHCVE-2026-3524EXP

Authorization Bypass in Mattermost Legal Hold Plugin Due to Missing Return After Permission Check

LOWCVE-2026-27769

Connected Workspaces: Malicious remote server can manipulate arbitrary user's status

LOWCVE-2026-21388

Unbounded Request Body Read in MS Teams Plugin {{/lifecycle}} Webhook Endpoint

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 15, 2026

Discovered by ZDM

Apr 15, 2026

Updated: severity

Apr 15, 2026

Actively Exploited

Apr 15, 2026

Exploit Available

Apr 15, 2026

Patch Available

Apr 15, 2026

Updated: affectedVersions, severity, exploitAvailable, activelyExploited, patchAvailable

Apr 20, 2026

Version History

v3

Last enriched 2h ago

v3Tier B2h ago

Updated affected versions, changed severity to HIGH, and marked the vulnerability as actively exploited with an exploit available.

affectedVersionsseverityexploitAvailableactivelyExploitedpatchAvailable

via CERT-FR

v2Tier C5d ago

Updated severity to CRITICAL and noted that no exploit exists.

severity

via VulDB

v15d ago

Initial creation