CVE-2026-3590

EUVD-2026-22915 MEDIUM

2026-04-15 Mattermost

Information Disclosure

6.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Apr 15, 2026 - 11:41 vuln.today

DescriptionNVD

Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to enforce atomic single-use consumption of guest magic link tokens, which allows an attacker with access to a valid magic link to establish multiple independent authenticated sessions via concurrent requests.. Mattermost Advisory ID: MMSA-2026-00624

AnalysisAI

Mattermost versions 10.11.x through 10.11.12, 11.3.x through 11.3.2, 11.4.x through 11.4.2, and 11.5.0 fail to enforce atomic consumption of guest magic link tokens, allowing unauthenticated attackers to establish multiple concurrent authenticated sessions from a single valid magic link. This enables unauthorized access and potential information disclosure without requiring additional credentials or user interaction beyond intercepting or obtaining the link.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-3590 vulnerability details – vuln.today

Back

CVE-2026-3590

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Full analysis requires sign-in

Share

External POC / Exploit Code