SSO Authentication Flaw in Mattermost Mobile Apps
CVE-2026-22880

6.1MEDIUM

Key Information:

Vendor: Mattermost
Status: Mattermost
Vendor: CVE Published:; 21 May 2026

What is CVE-2026-22880?

A security vulnerability exists in Mattermost Mobile Apps which fails to adequately validate the origin of SSO authentication callbacks. This oversight allows attackers to exploit the apps by using a malicious Mattermost server to intercept and relay SSO code exchanges. Consequently, they can potentially steal user credentials when accessed through the compromised mobile application. For more details, refer to Mattermost Advisory ID: MMSA-2025-00564.

Affected Version(s)

Mattermost 0 <= 2.0.37

Mattermost 0 <= 11.0.4

Mattermost 0 <= 11.1.3

References

https://mattermost.com/security-updates

vendor-advisory

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 21, 2026
Vulnerability Reserved
Feb 23, 2026

Credit

Doyensec

CVE-2026-22880 Data

JSON