VYPR
Get started
← All advisories
Moderate severityNVD Advisory· Published Mar 16, 2026· Updated Mar 16, 2026

Unauthorized access to invite ID during team creation

CVE-2026-2463

Description

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and register unauthorized accounts via leaked invite IDs during team creation.. Mattermost Advisory ID: MMSA-2025-00565

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/mattermost/mattermost/server/v8Go
< 8.0.0-20260105134819-cc427af41b2a8.0.0-20260105134819-cc427af41b2a
github.com/mattermost/mattermost-serverGo
< 5.3.2-0.20260105134819-cc427af41b2a5.3.2-0.20260105134819-cc427af41b2a
github.com/mattermost/mattermost-serverGo
>= 10.11.0-rc1, < 10.11.1110.11.11
github.com/mattermost/mattermost-serverGo
>= 11.2.0-rc1, < 11.2.311.2.3
github.com/mattermost/mattermost-serverGo
>= 11.3.0-rc1, < 11.3.111.3.1

Affected products

1

Patches

1
cc427af41b2a

[MM-66827] Omit invite_id from team creation response based on permissions (#34693)

https://github.com/mattermost/mattermostM-ZubairAhmedJan 5, 2026via ghsa
commit
3 files changed · +30 0
  • server/channels/api4/team.go+6 0 modified
    @@ -127,6 +127,12 @@ func createTeam(c *Context, w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Don't sanitize the team here since the user will be a team admin and their session won't reflect that yet
+	// instead check the scheme roles for the team and if the user has the permission to invite users
+	_, schemeUserRole, schemeAdminRole, schemeErr := c.App.GetSchemeRolesForTeam(rteam.Id)
+	if schemeErr != nil || !c.App.RolesGrantPermission([]string{schemeUserRole, schemeAdminRole}, model.PermissionInviteUser.Id) {
+		// If we can't check permissions, fail secure by hiding the invite_id because the team is already created above
+		rteam.InviteId = ""
+	}
 
 	auditRec.Success()
 	auditRec.AddEventResultState(&team)
  • server/channels/api4/team_test.go+23 0 modified
    @@ -233,6 +233,29 @@ func TestCreateTeamSanitization(t *testing.T) {
 	}, "system admin")
 }
 
+func TestCreateTeamInviteIdHiddenWithoutInvitePermission(t *testing.T) {
+	th := Setup(t)
+
+	defaultRolePermissions := th.SaveDefaultRolePermissions(t)
+	defer th.RestoreDefaultRolePermissions(t, defaultRolePermissions)
+
+	// Remove PermissionInviteUser from the default team user role
+	th.RemovePermissionFromRole(t, model.PermissionInviteUser.Id, model.TeamUserRoleId)
+
+	// Regular user creates a team - InviteId should be hidden
+	// since the team user role lacks invite permission
+	rteam, _, err := th.Client.CreateTeam(context.Background(), &model.Team{
+		DisplayName:    "Team Without Invite Permission",
+		Name:           GenerateTestTeamName(),
+		Email:          th.GenerateTestEmail(),
+		Type:           model.TeamOpen,
+		AllowedDomains: "simulator.amazonses.com,localhost",
+	})
+	require.NoError(t, err)
+	require.NotEmpty(t, rteam.Email, "should not have sanitized email")
+	require.Empty(t, rteam.InviteId, "should have hidden invite_id when user lacks invite permission")
+}
+
 func TestGetTeam(t *testing.T) {
 	mainHelper.Parallel(t)
  • server/channels/app/team.go+1 0 modified
    @@ -375,6 +375,7 @@ func (a *App) sendTeamEvent(team *model.Team, event model.WebsocketEventType) *m
 	return nil
 }
 
+// GetSchemeRolesForTeam Gets the scheme roles for a team, they may be empty, default or custom permissions based on the scheme.
 func (a *App) GetSchemeRolesForTeam(teamID string) (string, string, string, *model.AppError) {
 	team, err := a.GetTeam(teamID)
 	if err != nil {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.