Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
3.8
Mattermost: Team Admins Can Bypass Invite Restrictions
CVE-2025-14573
GHSA-cgjg-p2m2-qm4p
Summary
Mattermost versions 10.11 through 10.11.9 have a security issue that allows team administrators to add users to a team without proper permission, even if restrictions are in place. This could lead to unauthorized users gaining access to sensitive team information. Update to version 10.11.10 or later to fix the issue.
What to do
- Update github.com mattermost to version 8.0.0-20251215190648-6404ab29acc0.
- Update github.com mattermost to version 5.3.2-0.20251215190648-6404ab29acc0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | mattermost | <= 8.0.0-20251215190648-6404ab29acc0 | 8.0.0-20251215190648-6404ab29acc0 |
| github.com | mattermost | > 11.1.0 , <= 11.1.3 | – |
| github.com | mattermost | > 10.11.0 , <= 10.11.10 | – |
| github.com | mattermost | > 11.2.0 , <= 11.2.2 | – |
| github.com | mattermost | <= 5.3.2-0.20251215190648-6404ab29acc0 | 5.3.2-0.20251215190648-6404ab29acc0 |
| mattermost | mattermost_server | > 10.11.0 , <= 10.11.10 | – |
Original title
Mattermost fails to enforce invite permissions when updating team settings
Original description
Mattermost versions 10.11.x <= 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561
nvd CVSS3.1
2.7
Vulnerability type
CWE-862
Missing Authorization
Published: 16 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026