SCA: security update for github.com/mattermost/mattermost, github.com/mattermost/mattermost-server, github.com/mattermost/mattermost/server/v8 (GHSA-x3r8-2hmh-89f5)

low Tenable Cloud Security Plugin ID 436474

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate remote
cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not
provide a refreshed token, which allows an attacker who has obtained an invite token to authenticate as
the remote cluster and perform limited actions on shared channels even after the invitation has been
legitimately confirmed. (CVE-2025-13324)

See Also

https://github.com/advisories/GHSA-x3r8-2hmh-89f5

Plugin Details

Severity: Low

ID: 436474

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 12/20/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N

CVSS Score Source: CVE-2025-13324

CVSS v3

Risk Factor: Low

Base Score: 3.7

Temporal Score: 3.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 12/17/2025

Vulnerability Publication Date: 12/11/2025

Reference Information

CVE: CVE-2025-13324

cwe: CWE-863