CVE-2017-18902
Description
An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API endpoints.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mattermost Server before 4.1.0, 4.0.4, and 3.10.3 exposes team invite IDs via team API endpoints, allowing unauthorized team access.
The vulnerability in Mattermost Server allows attackers to discover team invite IDs through team API endpoints [1]. This is due to insufficient access control on these endpoints, which return the invite IDs that should remain secret for private teams.
The attack surface is the team API, which does not properly restrict access to invite ID information. An attacker with network access to the server can exploit this to obtain invite IDs without proper authentication [1].
Impact: An attacker can use the discovered invite IDs to join private teams without an invitation, gaining access to sensitive team communications and potentially escalating privileges within the Mattermost instance [1].
Mitigation: The issue is fixed in Mattermost versions 4.1.0, 4.0.4, and 3.10.3 [1]. Users must upgrade to a patched version to prevent exploitation.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost-serverGo | < 3.10.3 | 3.10.3 |
github.com/mattermost/mattermost-serverGo | >= 4.0.0, < 4.0.4 | 4.0.4 |
github.com/mattermost/mattermost-serverGo | >= 4.0.5-rc1, < 4.1.0 | 4.1.0 |
Affected products
4- Mattermost/Serverdescription
- ghsa-coords3 versionspkg:golang/github.com/mattermost/mattermost-serverpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
< 3.10.3+ 2 more
- (no CPE)range: < 3.10.3
- (no CPE)range: < 0.0.20251209T172047-150000.1.127.1
- (no CPE)range: < 0.0.20251209T172047-150000.1.127.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-jwfv-5hwq-f97rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-18902ghsaADVISORY
- mattermost.com/security-updatesghsaWEB
- mattermost.com/security-updates/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.