Moderate severityNVD Advisory· Published Mar 16, 2026· Updated Mar 16, 2026
Unauthorized access to invite ID during team creation
CVE-2026-2463
Description
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and register unauthorized accounts via leaked invite IDs during team creation.. Mattermost Advisory ID: MMSA-2025-00565
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20260105134819-cc427af41b2a | 8.0.0-20260105134819-cc427af41b2a |
github.com/mattermost/mattermost-serverGo | < 5.3.2-0.20260105134819-cc427af41b2a | 5.3.2-0.20260105134819-cc427af41b2a |
github.com/mattermost/mattermost-serverGo | >= 10.11.0-rc1, < 10.11.11 | 10.11.11 |
github.com/mattermost/mattermost-serverGo | >= 11.2.0-rc1, < 11.2.3 | 11.2.3 |
github.com/mattermost/mattermost-serverGo | >= 11.3.0-rc1, < 11.3.1 | 11.3.1 |
Affected products
4- ghsa-coords3 versionspkg:golang/github.com/mattermost/mattermost-serverpkg:golang/github.com/mattermost/mattermost/server/v8pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 5.3.2-0.20260105134819-cc427af41b2a+ 2 more
- (no CPE)range: < 5.3.2-0.20260105134819-cc427af41b2a
- (no CPE)range: < 8.0.0-20260105134819-cc427af41b2a
- (no CPE)range: < 0.0.20260326T203309-150000.1.155.2
- Range: 11.3.0
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-fx49-m253-27jjghsaADVISORY
- mattermost.com/security-updatesghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-2463ghsaADVISORY
- github.com/mattermost/mattermost/commit/cc427af41b2a8d3a552d8dc42978831dcfecc1d8ghsaWEB
News mentions
0No linked articles in our index yet.