Nixpkgs security tracker
Untriaged
Permalink
CVE-2026-3590
6.5 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): LOW
- Integrity impact (I): LOW
- Availability impact (A): NONE
Race Condition in Guest Magic Link Authentication Allows Token Reuse
Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to enforce atomic single-use consumption of guest magic link tokens, which allows an attacker with access to a valid magic link to establish multiple independent authenticated sessions via concurrent requests.. Mattermost Advisory ID: MMSA-2026-00624
References
-
MMSA-2026-00624 vendor-advisory
Affected products
Mattermost
- =<10.11.12
- ==11.6.0
- ==11.4.3
- ==11.3.3
- =<11.4.2
- ==11.5.1
- =<11.5.0
- =<11.3.2
- ==10.11.13
Matching in nixpkgs
pkgs.mattermost
Open source platform for secure collaboration across the entire software development lifecycle
pkgs.mattermostLatest
Open source platform for secure collaboration across the entire software development lifecycle
pkgs.mattermost-desktop
Mattermost Desktop client
pkgs.python312Packages.mattermostdriver
Python Mattermost Driver
pkgs.python313Packages.mattermostdriver
Python Mattermost Driver
pkgs.python314Packages.mattermostdriver
Python Mattermost Driver
Package maintainers
-
@mgdelacroix Miguel de la Cruz <mgdelacroix@gmail.com>
-
@ryantm Ryan Mulligan <ryan@ryantm.com>
-
@numinit Morgan Jones <me+nixpkgs@numin.it>
-
@jokogr Ioannis Koutras <ioannis.koutras@gmail.com>
-
@liff Olli Helenius <liff@iki.fi>
-
@globin Robin Gloster <mail@glob.in>