Mattermost fails to filter invite IDs based on user permissions

GHSA-fx49-m253-27jj · CVE-2026-2463 · GO-2026-4735

Published Mar 16, 2026 · Modified Mar 23, 2026

Description

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and register unauthorized accounts via leaked invite IDs during team creation. Mattermost Advisory ID: MMSA-2025-00565

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-2463
WEB https://github.com/mattermost/mattermost/commit/cc427af41b2a8d3a552d8dc42978831dcfecc1d8
PACKAGE https://github.com/mattermost/mattermost
WEB https://mattermost.com/security-updates

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes