Mattermost has Insufficiently Protected Credentials
        
  Low severity
        
          GitHub Reviewed
      
        Published
          Jul 18, 2025 
          to the GitHub Advisory Database
          •
          Updated Jul 21, 2025 
      
  
Description
        Published by the National Vulnerability Database
      Jul 18, 2025 
    
  
        Published to the GitHub Advisory Database
      Jul 18, 2025 
    
  
        Last updated
      Jul 21, 2025 
    
  
        Reviewed
      Jul 21, 2025 
    
  
Mattermost versions 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that intercepts both invite and password to send synchronization payloads to the server that originally created the invite via the REST API.
References