How ZeroPath Works
Back to Blog

Mattermost CVE-2025-58075: Brief Summary of Authorization Bypass via Invite Token and RelayState Manipulation

This post provides a brief summary of CVE-2025-58075, a high-severity authorization bypass in Mattermost versions 10.11.x through 10.11.1, 10.10.x through 10.10.2, and 10.5.x through 10.5.10. The flaw allows unauthorized team access by manipulating the RelayState parameter with a valid invite token. Includes affected versions, technical details, and vendor security context.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-10-16

Mattermost CVE-2025-58075: Brief Summary of Authorization Bypass via Invite Token and RelayState Manipulation
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Attackers can join any team on a vulnerable Mattermost server by manipulating a single parameter in the authentication flow. This flaw allows unauthorized access to sensitive collaboration spaces, regardless of configured team restrictions, in environments that often handle regulated or classified data.

Mattermost is an open-source and commercial collaboration platform used by enterprises, government agencies, and organizations with strict data residency and compliance requirements. With deployments in defense, critical infrastructure, and regulated industries, Mattermost's security posture directly impacts operational security for thousands of organizations worldwide.

Technical Information

CVE-2025-58075 is an authorization bypass vulnerability in Mattermost versions 10.11.x through 10.11.1, 10.10.x through 10.10.2, and 10.5.x through 10.5.10. The flaw occurs in the team invitation mechanism, specifically when a user attempts to join a team using an original invite token.

The root cause is the absence of proper authorization checks when processing join requests that include a valid invite token. Mattermost fails to confirm that the user is permitted to join the team referenced in the request. By manipulating the RelayState parameter, which is used in SAML authentication flows to maintain state and redirect users post-authentication, an attacker can redirect the join process to a different team than the one associated with the invite token.

Because the system does not validate that the user is authorized for the target team, the attacker is able to join any team on the server, bypassing all configured restrictions. This vulnerability is classified under CWE-862 (Missing Authorization).

Affected Systems and Versions

  • Mattermost 10.11.x up to and including 10.11.1
  • Mattermost 10.10.x up to and including 10.10.2
  • Mattermost 10.5.x up to and including 10.5.10

All configurations that use invite tokens for team membership are vulnerable in these versions.

Vendor Security History

Mattermost has previously addressed similar authorization and authentication issues, including:

  • CVE-2025-6227: Insufficient token negotiation in invite acceptance
  • CVE-2025-3913: Improper validation of team privacy settings
  • CVE-2025-3611: Access control issues for System Manager roles

The vendor maintains a monthly patch cycle and a responsible disclosure process, with advisories published on their security updates page. The recurrence of team and channel access control flaws indicates ongoing complexity in Mattermost's authorization logic.

References

Detect & fix
what others miss

Get startedBook a demo