Skip to main content

Mattermost CVE-2026-2463

| EUVDEUVD-2026-12385 MEDIUM
Missing Authorization (CWE-862)
2026-03-16 Mattermost GHSA-fx49-m253-27jj
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 16, 2026 - 12:00 euvd
EUVD-2026-12385
Analysis Generated
Mar 16, 2026 - 12:00 vuln.today
CVE Published
Mar 16, 2026 - 11:13 nvd
MEDIUM 4.3

DescriptionCVE.org

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and register unauthorized accounts via leaked invite IDs during team creation.. Mattermost Advisory ID: MMSA-2025-00565

AnalysisAI

Mattermost fails to properly validate user permissions when filtering invite IDs during team creation, allowing authenticated users to bypass access controls and register unauthorized accounts using leaked or discovered invite tokens. Affected versions include Mattermost 11.3.0 and earlier in the 11.3.x branch, 11.2.2 and earlier in the 11.2.x branch, and 10.11.10 and earlier in the 10.11.x branch. An authenticated attacker with knowledge of valid invite IDs can circumvent intended access restrictions to create accounts that should be restricted, resulting in unauthorized account registration and potential lateral movement within the Mattermost instance.

Technical ContextAI

The vulnerability stems from improper access control enforcement in Mattermost's team invitation and account registration mechanism, classified under CWE-862 (Missing Authorization). Mattermost is a self-hosted team collaboration platform that manages user authentication, team membership, and invitation workflows. The root cause involves the invite ID validation logic failing to properly check whether the requesting user has permission to use or redeem a specific invite token. When users create teams or join existing teams via invite links, the application should verify that only authorized users can leverage those invitations, but this validation is either missing or incomplete. The vulnerability is particularly critical in team creation scenarios where invite IDs are generated but not properly scoped to authorized recipients, allowing any authenticated user to discover or obtain invite IDs (whether through leakage, disclosure, or enumeration) and use them regardless of intended access restrictions. The affected versions span multiple release branches, indicating this permission-checking logic has been inadequately enforced across multiple iterations of the codebase.

RemediationAI

Upgrade Mattermost to patched versions that address the invite ID permission validation logic—consult Mattermost Advisory MMSA-2025-00565 for exact patched version numbers for each affected branch (11.3.x, 11.2.x, and 10.11.x). The primary fix requires applying the vendor patch that implements proper authorization checks on invite token redemption, ensuring only authorized users can utilize specific invite IDs. As an interim mitigation before patching is possible, restrict invite ID sharing through administrative controls, disable team creation for unprivileged users if feasible, audit recent account registrations for suspicious patterns, and monitor audit logs for unauthorized invite ID usage. Additionally, implement network-level access controls to limit Mattermost exposure to trusted networks and consider implementing multi-factor authentication (MFA) to raise the barrier for account compromise. Organizations should also review and rotate any invite IDs that may have been exposed or logged in accessible locations.

CVE-2026-48801 HIGH POC
8.7 Jun 26

Denial of service in linkify-it (npm) through v5.0.0 lets remote unauthenticated attackers wedge a rendering worker by s

CVE-2022-4044 MEDIUM POC
6.5 Nov 23

A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large auto

CVE-2022-3257 MEDIUM POC
6.5 Sep 23

Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded w

CVE-2023-6458 CRITICAL
9.8 Dec 06

Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perf

CVE-2020-26276 CRITICAL
9.8 Dec 17

Fleet is an open source osquery manager. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2024-39777 CRITICAL
9.6 Aug 01

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invit

CVE-2020-26290 CRITICAL
9.6 Dec 28

Dex is a federated OpenID Connect provider written in Go. Rated critical severity (CVSS 9.6), this vulnerability is remo

CVE-2026-9354 MEDIUM POC
5.5 May 24

Improper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers t

CVE-2022-1002 MEDIUM POC
5.4 Mar 18

Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, wh

CVE-2023-2193 CRITICAL
9.1 Apr 20

Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker posse

CVE-2026-7387 HIGH
8.8 Jun 12

Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding gr

CVE-2026-3524 HIGH
8.8 Apr 06

Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-2463 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy