{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3590", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2026-03-05T11:34:57.712Z", "datePublished": "2026-04-15T11:00:14.880Z", "dateUpdated": "2026-04-15T14:00:27.030Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "10.11.12", "status": "affected", "version": "10.11.0", "versionType": "semver"}, {"lessThanOrEqual": "11.5.0", "status": "affected", "version": "11.5.0", "versionType": "semver"}, {"lessThanOrEqual": "11.4.2", "status": "affected", "version": "11.4.0", "versionType": "semver"}, {"lessThanOrEqual": "11.3.2", "status": "affected", "version": "11.3.0", "versionType": "semver"}, {"version": "11.6.0", "status": "unaffected"}, {"version": "10.11.13", "status": "unaffected"}, {"version": "11.5.1", "status": "unaffected"}, {"version": "11.4.3", "status": "unaffected"}, {"version": "11.3.3", "status": "unaffected"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Edgar Bellot Mic\u00f3"}], "descriptions": [{"lang": "en", "value": "Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to enforce atomic single-use consumption of guest magic link tokens, which allows an attacker with access to a valid magic link to establish multiple independent authenticated sessions via concurrent requests.. Mattermost Advisory ID: MMSA-2026-00624"}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseSeverity": "MEDIUM", "baseScore": 6.5}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition", "cweId": "CWE-367"}]}], "references": [{"url": "https://mattermost.com/security-updates", "name": "MMSA-2026-00624", "tags": ["vendor-advisory"]}], "solutions": [{"value": "Update Mattermost to versions 11.6.0, 10.11.13, 11.5.1, 11.4.3, 11.3.3 or higher.", "lang": "en"}], "source": {"advisory": "MMSA-2026-00624", "defect": ["https://mattermost.atlassian.net/browse/MM-67791"], "discovery": "EXTERNAL"}, "title": "Race Condition in Guest Magic Link Authentication Allows Token Reuse", "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2026-04-15T11:00:14.880Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T14:00:15.919479Z", "id": "CVE-2026-3590", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T14:00:27.030Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3590", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T14:00:15.919479Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T14:00:23.071Z"}}], "cna": {"title": "Race Condition in Guest Magic Link Authentication Allows Token Reuse", "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-67791"], "advisory": "MMSA-2026-00624", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Edgar Bellot Mic\u00f3"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mattermost", "product": "Mattermost", "versions": [{"status": "affected", "version": "10.11.0", "versionType": "semver", "lessThanOrEqual": "10.11.12"}, {"status": "affected", "version": "11.5.0", "versionType": "semver", "lessThanOrEqual": "11.5.0"}, {"status": "affected", "version": "11.4.0", "versionType": "semver", "lessThanOrEqual": "11.4.2"}, {"status": "affected", "version": "11.3.0", "versionType": "semver", "lessThanOrEqual": "11.3.2"}, {"status": "unaffected", "version": "11.6.0"}, {"status": "unaffected", "version": "10.11.13"}, {"status": "unaffected", "version": "11.5.1"}, {"status": "unaffected", "version": "11.4.3"}, {"status": "unaffected", "version": "11.3.3"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update Mattermost to versions 11.6.0, 10.11.13, 11.5.1, 11.4.3, 11.3.3 or higher."}], "references": [{"url": "https://mattermost.com/security-updates", "name": "MMSA-2026-00624", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to enforce atomic single-use consumption of guest magic link tokens, which allows an attacker with access to a valid magic link to establish multiple independent authenticated sessions via concurrent requests.. Mattermost Advisory ID: MMSA-2026-00624"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-367", "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2026-04-15T11:00:14.880Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3590", "state": "PUBLISHED", "dateUpdated": "2026-04-15T14:00:27.030Z", "dateReserved": "2026-03-05T11:34:57.712Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2026-04-15T11:00:14.880Z", "assignerShortName": "Mattermost"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "FCC7A7BB-02AF-4CC9-9F33-8787C87B73F0", "versionEndExcluding": "10.11.13", "versionStartIncluding": "10.11.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "F9041D47-B3B0-4958-BD55-FC8A17789C72", "versionEndExcluding": "11.3.3", "versionStartIncluding": "11.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "D1C9027C-4E83-47E3-8D96-1928F34FBD8E", "versionEndExcluding": "11.4.3", "versionStartIncluding": "11.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "3D6803A0-3760-4659-95A9-3859B62C0EF4", "versionEndExcluding": "11.5.1", "versionStartIncluding": "11.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to enforce atomic single-use consumption of guest magic link tokens, which allows an attacker with access to a valid magic link to establish multiple independent authenticated sessions via concurrent requests.. Mattermost Advisory ID: MMSA-2026-00624"}], "id": "CVE-2026-3590", "lastModified": "2026-04-22T19:41:52.700", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}, "published": "2026-04-15T12:16:40.023", "references": [{"source": "responsibledisclosure@mattermost.com", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[10.11.0,10.11.12]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.5.0,11.5.0]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.4.0,11.4.2]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.3.0,11.3.2]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "11.6.0"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "10.11.13"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "11.5.1"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "11.4.3"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "11.3.3"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Mattermost", "source": "cna", "vendor": "Mattermost"}, "product": "mattermost", "vendor": "mattermost"}], "analysis": {"en": {"generated_at": "2026-04-15T12:21:11.073211+00:00", "value": {"mitigation_remediation": ["Update Mattermost to version 11.6.0, 10.11.13, 11.5.1, 11.4.3, 11.3.3, or a newer release to disable token reuse.", "Revoke all outstanding guest magic link tokens before applying the patch to prevent session hijacking.", "Temporarily disable guest magic link authentication for all users until the update is applied, reducing the attack surface."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access via Token Reuse"}, "threat_synthesis": {"affected_systems": "Mattermost; affected versions are 10.11.x up to 10.11.12, 11.5.x up to 11.5.0, 11.4.x up to 11.4.2, and 11.3.x up to 11.3.2. The advisory identifies these releases as vulnerable and recommends upgrading to 11.6.0, 10.11.13, 11.5.1, 11.4.3, or 11.3.3 and newer.", "description_and_impact": "Mattermost versions 10.11.x up to 10.11.12, 11.5.x up to 11.5.0, 11.4.x up to 11.4.2, and 11.3.x up to 11.3.2 fail to enforce atomic single\u2011use consumption of guest magic link tokens, allowing an attacker with a valid magic link to open multiple independent authenticated sessions through concurrent requests. This flaw lets an attacker impersonate any guest user, access private channels, and potentially read or modify sensitive data. The weakness is a race condition (CWE\u2011367) that compromises authentication integrity.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a medium\u2011to\u2011high severity. Because the EPSS score is not available and the vulnerability is not listed in KEV, the likelihood of immediate exploitation is unknown, yet the flaw could be leveraged by anyone who has intercepted or phished a magic link. The attacker must make concurrent requests with the same magic link, a scenario that is achievable from a remote position. If successful, the attacker gains persistent, unauthenticated access until the session is terminated."}}}}, "created": "2026-04-15T13:38:17.785261+00:00", "updated": "2026-04-15T13:38:28.754573+00:00", "vendors": ["mattermost", "mattermost$PRODUCT$mattermost"]}