CVE-2026-22880 PUBLISHED

Mobile SSO authentication flow allows credential theft via malicious server

Assigner: Mattermost
Reserved: 23.02.2026 Published: 21.05.2026 Updated: 21.05.2026

Mattermost Mobile Apps versions <=2.37 11.4 2.0.37 11.0.4 11.1.3 11.3.2 10.11.11.0 fail to properly validate the SSO authentication callback origin which allows an attacker controlling a malicious Mattermost server to steal user credentials for a legitimate Mattermost server via relaying the SSO code exchange flow through the mobile application. Mattermost Advisory ID: MMSA-2025-00564

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
CVSS Score: 6.1

Attack Vector	Network	Scope	Changed
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Mattermost
Product	Mattermost
Versions	Default: unaffected affected from 0 to 2.0.37 (incl.) affected from 0 to 11.0.4 (incl.) affected from 0 to 11.1.3 (incl.) affected from 0 to 11.3.2 (incl.) affected from 0 to 10.11.11 (incl.) Version 2.38.0 is unaffected Version 11.5.0 is unaffected Version 2.37.1.0 is unaffected Version 11.4.1 is unaffected Version 11.3.2 is unaffected Version 11.2.4 is unaffected Version 10.11.12 is unaffected

Solutions

Update Mattermost Mobile Apps to versions 2.38.0, 11.5.0, 2.37.1.0, 11.4.1, 11.3.2, 11.2.4, 10.11.12 or higher.

Credits

Doyensec finder

References

MMSA-2025-00564

Problem Types

CWE-352: Cross-Site Request Forgery (CSRF) CWE