What is GHSA-jp3f-x449-4q75?

GHSA-jp3f-x449-4q75 is a security advisory published by GitHub Security Advisories with Low severity. Mattermost doesn't enforce client identity binding during the OAuth authorization code redemption flow

Which CVE IDs does GHSA-jp3f-x449-4q75 cover?

GHSA-jp3f-x449-4q75 covers the following CVE IDs: CVE-2026-6334. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-jp3f-x449-4q75?

GHSA-jp3f-x449-4q75 has a CVSS v3 base score of 3.1, published by GitHub Security Advisories.

Which products are affected by GHSA-jp3f-x449-4q75?

GHSA-jp3f-x449-4q75 affects 4 products, including: go/github.com/mattermost/mattermost/server/v8:\u003e= 11.5.0, \u003c 11.5.2; go/github.com/mattermost/mattermost/server/v8:\u003e= 10.11.0, \u003c 10.11.14; go/github.com/mattermost/mattermost/server/v8:\u003c 8.0.0-20260318173148-e9ae890a013b; go/github.com/mattermost/mattermost-server:\u003c 5.3.2-0.20260318173148-e9ae890a013b.

GHSA-jp3f-x449-4q75LowCVSS 3.1

Mattermost doesn't enforce client identity binding during the OAuth authorization code redemption flow

Vendor

GitHub Security Advisories

Published

May 18, 2026

Last Modified

June 1, 2026

🔗 CVE IDs covered (1)

CVE-2026-6334 →

📋 Description

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce client identity binding during the OAuth authorization code redemption flow which allows an authenticated OAuth client to redeem authorization codes issued to a different client via a crafted token exchange request.. Mattermost Advisory ID: MMSA-2026-00570

🎯 Affected products4

go/github.com/mattermost/mattermost/server/v8:>= 11.5.0, < 11.5.2
go/github.com/mattermost/mattermost/server/v8:>= 10.11.0, < 10.11.14
go/github.com/mattermost/mattermost/server/v8:< 8.0.0-20260318173148-e9ae890a013b
go/github.com/mattermost/mattermost-server:< 5.3.2-0.20260318173148-e9ae890a013b

🔗 References (4)

https://nvd.nist.gov/vuln/detail/CVE-2026-6334
https://mattermost.com/security-updates
https://github.com/mattermost/mattermost/commit/e9ae890a013bb57989fcbdb548d8b7b86b240237
https://github.com/advisories/GHSA-jp3f-x449-4q75