Mattermost Server exposes private team invite ID

GHSA-c253-8hr4-r8v9 · CVE-2017-18901 · GO-2026-4304

Published May 24, 2022 · Modified Feb 3, 2026

Description

An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover a team invite ID by requesting a JSON document.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2017-18901
WEB https://github.com/mattermost/mattermost/commit/5e822a7d09214d5446d54e02a0611df8e64f3aa5
WEB https://github.com/mattermost/mattermost/commit/638c38cc0d2296335a0fbd5bde8b6d2cbf9f9062
WEB https://github.com/mattermost/mattermost/commit/a78ed923f1c73ae5551893374fb9803ee2f4c8e6
PACKAGE https://github.com/mattermost/mattermost
WEB https://mattermost.com/security-updates

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes