—

GO-2026-5507

Mattermost has session spoofing due to lack of single-use consumption of guest magic link tokens enforcement in github.com/mattermost/mattermost-server

Details

Mattermost has session spoofing due to lack of single-use consumption of guest magic link tokens enforcement in github.com/mattermost/mattermost-server

Are you affected?

Enter the version of the package you're using.

Affected packages

Go / github.com/mattermost/mattermost-server

Introduced in: 10.11.0-rc1+incompatible Fixed in: 10.11.13+incompatible

Fix go get github.com/mattermost/mattermost-server@v10.11.13+incompatible

Go / github.com/mattermost/mattermost-server/v5

Introduced in: 0

No fixed version published yet for github.com/mattermost/mattermost-server/v5 (go modules). Pin to a known-safe version or switch to an alternative.

Go / github.com/mattermost/mattermost-server/v6

Introduced in: 0

No fixed version published yet for github.com/mattermost/mattermost-server/v6 (go modules). Pin to a known-safe version or switch to an alternative.

Go / github.com/mattermost/mattermost/server/v8

Introduced in: 8.0.0-20250721062209-4952acea88ce Fixed in: 8.0.0-20250723052842-4cb8d8940332

Fix go get github.com/mattermost/mattermost/server/v8@v8.0.0-20250723052842-4cb8d8940332

References

https://github.com/advisories/GHSA-mh4x-rmrx-3hp4 [ADVISORY]
https://nvd.nist.gov/vuln/detail/CVE-2026-3590 [ADVISORY]
https://mattermost.com/security-updates [WEB]