CVE-2026-4273 Overview
CVE-2026-4273 is an authorization vulnerability in Mattermost Server affecting versions 11.5.x through 11.5.1 and 10.11.x through 10.11.13. The flaw resides in the remote cluster invite confirmation flow, where the server fails to validate that the RefreshedToken differs from the original invite token. An authenticated attacker can send a crafted invite confirmation containing a RefreshedToken matching the original token, bypassing token rotation and reusing the original invite token. Mattermost tracks this issue as advisory MMSA-2026-00575 and classifies it under [CWE-863: Incorrect Authorization].
Critical Impact
Authenticated attackers can bypass token rotation on remote cluster invites, enabling reuse of the original invite token and weakening the integrity of remote cluster trust boundaries.
Affected Products
- Mattermost Server 11.5.x up to and including 11.5.1
- Mattermost Server 10.11.x up to and including 10.11.13
- Mattermost remote cluster invite confirmation feature
Discovery Timeline
- 2026-05-18 - CVE-2026-4273 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-4273
Vulnerability Analysis
The vulnerability is an authorization flaw in the remote cluster invite confirmation logic of Mattermost Server. Remote cluster invitations use a token-rotation pattern in which the confirming party returns a RefreshedToken that should replace the original invite token. Mattermost did not enforce that the RefreshedToken differ from the original token. An authenticated attacker can submit a confirmation in which the RefreshedToken equals the original invite token, defeating the rotation step. The consequence is integrity impact on the remote cluster trust state, since the original token remains valid instead of being rotated out. The exposure requires network access and a valid authenticated session, but no user interaction. Confidentiality and availability are not directly impacted.
Root Cause
The root cause is missing validation in the invite confirmation handler. The code accepts any value supplied in the RefreshedToken field without comparing it to the original invite token. Because the rotation step is not enforced, the security invariant that the confirming party must present a fresh token is broken, mapping cleanly to [CWE-863].
Attack Vector
An authenticated attacker with permission to participate in a remote cluster invite confirmation crafts a confirmation request in which the RefreshedToken field is populated with the original invite token. The server accepts the value, completes the confirmation, and persists the original token as the active token. The attacker can then continue to use the original invite token rather than a rotated value. The vulnerability is remotely reachable but requires low-privileged authentication and no user interaction. See the Mattermost Security Updates advisory for full technical details.
Detection Methods for CVE-2026-4273
Indicators of Compromise
- Remote cluster invite confirmation requests where the RefreshedToken value equals the original invite token issued for the same cluster pairing.
- Audit log entries showing successful invite confirmations that did not change the stored token value for a remote cluster record.
- Continued use of an invite token beyond its expected single-confirmation lifecycle.
Detection Strategies
- Inspect application audit logs for remote cluster confirmation events and correlate the submitted RefreshedToken against the original invite token issued to that remote cluster.
- Alert when the active remote cluster token after confirmation matches the pre-confirmation token, indicating rotation did not occur.
- Review authentication telemetry for repeated use of the same invite token across multiple sessions or sources.
Monitoring Recommendations
- Forward Mattermost server logs and audit events to a centralized analytics platform and build queries on remote cluster invite confirmation outcomes.
- Monitor for anomalous patterns of remote cluster invite activity from authenticated low-privilege accounts.
- Track the mattermost-server version in inventory and flag instances running 11.5.1, 10.11.13, or earlier in the affected branches.
How to Mitigate CVE-2026-4273
Immediate Actions Required
- Upgrade Mattermost Server to a fixed release beyond 11.5.1 for the 11.5.x branch and beyond 10.11.13 for the 10.11.x branch, as published in the Mattermost Security Updates advisory.
- Invalidate and reissue any remote cluster invite tokens issued before the patch was applied.
- Review remote cluster trust relationships and confirm token rotation occurred as expected during recent invite confirmations.
Patch Information
Mattermost released security updates addressing CVE-2026-4273 under advisory MMSA-2026-00575. The fix enforces validation that the RefreshedToken value differs from the original invite token during remote cluster invite confirmation. Administrators should consult the Mattermost Security Updates page for the specific fixed versions corresponding to their deployment branch.
Workarounds
- Restrict the ability to initiate or confirm remote cluster invitations to a small set of trusted administrators until patches are applied.
- Disable the remote clusters feature in environments where it is not required, removing the attack surface entirely.
- Rotate remote cluster invite tokens manually after each confirmation and verify the stored token changed.
# Verify installed Mattermost Server version on a Linux host
mattermost version
# Or query the API to confirm the running build
curl -sS https://<mattermost-host>/api/v4/system/ping?get_server_status=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
