Mattermost fails to enforce invite permissions when updating team settings

GHSA-cgjg-p2m2-qm4p · CVE-2025-14573 · GO-2026-4523

Published Feb 16, 2026 · Modified Apr 1, 2026

Description

Mattermost versions 10.11.x <= 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-14573
WEB https://github.com/mattermost/mattermost/commit/6404ab29acc04901c5cb1cf5ad97fc3c0693e2cd
PACKAGE https://github.com/mattermost/mattermost
WEB https://mattermost.com/security-updates

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes