Mattermost doesn't enforce client identity binding during the OAuth authorization code redemption flow
Low severity
GitHub Reviewed
Published
May 18, 2026
to the GitHub Advisory Database
•
Updated Jun 1, 2026
Package
Affected versions
< 5.3.2-0.20260318173148-e9ae890a013b
Patched versions
5.3.2-0.20260318173148-e9ae890a013b
>= 11.5.0, < 11.5.2
>= 10.11.0, < 10.11.14
< 8.0.0-20260318173148-e9ae890a013b
11.5.2
10.11.14
8.0.0-20260318173148-e9ae890a013b
Description
Published by the National Vulnerability Database
May 18, 2026
Published to the GitHub Advisory Database
May 18, 2026
Reviewed
Jun 1, 2026
Last updated
Jun 1, 2026
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce client identity binding during the OAuth authorization code redemption flow which allows an authenticated OAuth client to redeem authorization codes issued to a different client via a crafted token exchange request.. Mattermost Advisory ID: MMSA-2026-00570
References