Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and register unauthorized accounts via leaked invite IDs during team creation.. Mattermost Advisory ID: MMSA-2025-00565
AnalysisAI
Mattermost fails to properly validate user permissions when filtering invite IDs during team creation, allowing authenticated users to bypass access controls and register unauthorized accounts using leaked or discovered invite tokens. Affected versions include Mattermost 11.3.0 and earlier in the 11.3.x branch, 11.2.2 and earlier in the 11.2.x branch, and 10.11.10 and earlier in the 10.11.x branch. An authenticated attacker with knowledge of valid invite IDs can circumvent intended access restrictions to create accounts that should be restricted, resulting in unauthorized account registration and potential lateral movement within the Mattermost instance.
Technical ContextAI
The vulnerability stems from improper access control enforcement in Mattermost's team invitation and account registration mechanism, classified under CWE-862 (Missing Authorization). Mattermost is a self-hosted team collaboration platform that manages user authentication, team membership, and invitation workflows. The root cause involves the invite ID validation logic failing to properly check whether the requesting user has permission to use or redeem a specific invite token. When users create teams or join existing teams via invite links, the application should verify that only authorized users can leverage those invitations, but this validation is either missing or incomplete. The vulnerability is particularly critical in team creation scenarios where invite IDs are generated but not properly scoped to authorized recipients, allowing any authenticated user to discover or obtain invite IDs (whether through leakage, disclosure, or enumeration) and use them regardless of intended access restrictions. The affected versions span multiple release branches, indicating this permission-checking logic has been inadequately enforced across multiple iterations of the codebase.
RemediationAI
Upgrade Mattermost to patched versions that address the invite ID permission validation logic—consult Mattermost Advisory MMSA-2025-00565 for exact patched version numbers for each affected branch (11.3.x, 11.2.x, and 10.11.x). The primary fix requires applying the vendor patch that implements proper authorization checks on invite token redemption, ensuring only authorized users can utilize specific invite IDs. As an interim mitigation before patching is possible, restrict invite ID sharing through administrative controls, disable team creation for unprivileged users if feasible, audit recent account registrations for suspicious patterns, and monitor audit logs for unauthorized invite ID usage. Additionally, implement network-level access controls to limit Mattermost exposure to trusted networks and consider implementing multi-factor authentication (MFA) to raise the barrier for account compromise. Organizations should also review and rotate any invite IDs that may have been exposed or logged in accessible locations.
More in Mattermost
View allDenial of service in linkify-it (npm) through v5.0.0 lets remote unauthenticated attackers wedge a rendering worker by s
A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large auto
Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded w
Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perf
Fleet is an open source osquery manager. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invit
Dex is a federated OpenID Connect provider written in Go. Rated critical severity (CVSS 9.6), this vulnerability is remo
Improper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers t
Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, wh
Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker posse
Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding gr
Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12385
GHSA-fx49-m253-27jj