Low severityNVD Advisory· Published Feb 16, 2026· Updated Feb 17, 2026
Team Admin Bypass of Invite Permissions via allow_open_invite Field
CVE-2025-14573
Description
Mattermost versions 10.11.x <= 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20251215190648-6404ab29acc0 | 8.0.0-20251215190648-6404ab29acc0 |
github.com/mattermost/mattermost-serverGo | >= 11.1.0 | — |
github.com/mattermost/mattermost-serverGo | >= 10.11.0 | — |
github.com/mattermost/mattermost-serverGo | >= 11.2.0 | — |
github.com/mattermost/mattermost-serverGo | < 5.3.2-0.20251215190648-6404ab29acc0 | 5.3.2-0.20251215190648-6404ab29acc0 |
Affected products
4- ghsa-coords3 versionspkg:golang/github.com/mattermost/mattermost-serverpkg:golang/github.com/mattermost/mattermost/server/v8pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
>= 11.1.0+ 2 more
- (no CPE)range: >= 11.1.0
- (no CPE)range: < 8.0.0-20251215190648-6404ab29acc0
- (no CPE)range: < 0.0.20260226T182644-150000.1.149.1
- Range: 10.11.0
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-cgjg-p2m2-qm4pghsaADVISORY
- mattermost.com/security-updatesghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-14573ghsaADVISORY
- github.com/mattermost/mattermost/commit/6404ab29acc04901c5cb1cf5ad97fc3c0693e2cdghsaWEB
News mentions
0No linked articles in our index yet.