Platform
mattermost
Component
mattermost
Fixed in
10.11.13
11.5.1
11.4.3
11.3.3
8.0.0-20250723052842-4cb8d8940332
CVE-2026-3590 represents a Race Condition vulnerability discovered in Mattermost. This flaw allows an attacker with a valid magic link token to create multiple authenticated sessions concurrently, potentially leading to unauthorized access and data compromise. The vulnerability affects Mattermost versions 10.11.0 through 11.6.0. A patch is available in version 11.6.1.
CVE-2026-3590 in Mattermost allows an attacker with access to a valid guest magic link to establish multiple independent authenticated sessions via concurrent requests. This is because affected versions (10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2) fail to enforce atomic single-use consumption of these tokens. An attacker could, for example, use a script to generate multiple requests with the same magic link, thereby achieving multiple logins under the same guest identity. This compromises the security of guest accounts and could allow unauthorized access to sensitive information within the Mattermost instance.
Exploitation of this vulnerability requires access to a valid guest magic link. These links are typically generated when a guest user is invited to join a team or channel. An attacker could obtain a guest magic link through social engineering, data leaks, or if a legitimate user accidentally shares the link. The ease of generating multiple concurrent requests makes this vulnerability relatively easy to exploit, particularly for attackers with basic technical skills.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The solution to this vulnerability is to upgrade to Mattermost version 11.6.1 or higher. This version corrects the issue by ensuring that each guest magic link is consumed only once. If an immediate upgrade is not possible, we recommend reviewing your Mattermost security policies and considering implementing additional security measures, such as limiting the duration of magic links and monitoring for unusual guest account activity. Mattermost Advisory ID: MMSA-2026-00624 provides further information on the vulnerability and the fix.
Actualice Mattermost a la versión 11.6.1 o superior, 10.11.13 o superior, 11.3.3 o superior, 11.4.3 o superior, o 11.5.1 o superior para mitigar la vulnerabilidad. Esta actualización corrige la condición de carrera que permite el uso repetido de tokens de enlace mágico para invitados, previniendo la creación de múltiples sesiones autenticadas.
Vulnerability analysis and critical alerts directly to your inbox.
A guest magic link is a temporary link that allows a user to join a team or channel in Mattermost without needing to create an account. It's commonly used to provide temporary access to external guests.
If you are running a version of Mattermost prior to 11.6.1 and are using one of the affected versions (10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2), your instance is vulnerable.
Immediately upgrade to the latest version of Mattermost. Review audit logs for any unusual activity. Consider revoking all existing guest magic links.
While not a complete solution, you can limit the duration of guest magic links and monitor for unusual activity from guest accounts.
Refer to Mattermost Advisory ID: MMSA-2026-00624 on the Mattermost website for more detailed information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.