CVE-2026-3590 PUBLISHED

Race Condition in Guest Magic Link Authentication Allows Token Reuse

Assigner: Mattermost
Reserved: 05.03.2026 Published: 15.04.2026 Updated: 15.04.2026

Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to enforce atomic single-use consumption of guest magic link tokens, which allows an attacker with access to a valid magic link to establish multiple independent authenticated sessions via concurrent requests.. Mattermost Advisory ID: MMSA-2026-00624

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CVSS Score: 6.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Mattermost
Product	Mattermost
Versions	Default: unaffected affected from 10.11.0 to 10.11.12 (incl.) affected from 11.5.0 to 11.5.0 (incl.) affected from 11.4.0 to 11.4.2 (incl.) affected from 11.3.0 to 11.3.2 (incl.) Version 11.6.0 is unaffected Version 10.11.13 is unaffected Version 11.5.1 is unaffected Version 11.4.3 is unaffected Version 11.3.3 is unaffected

Solutions

Update Mattermost to versions 11.6.0, 10.11.13, 11.5.1, 11.4.3, 11.3.3 or higher.

Credits

Edgar Bellot Micó finder

References

MMSA-2026-00624

Problem Types

CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition CWE