Primary

Context

Mattermost Team Settings Invite Permission Bypass Vulnerability

Vulnerability

Patched

A vulnerability exists in Mattermost versions 10.11.x prior to 10.11.9, where the application fails to properly enforce invite permissions when team settings are updated. This flaw allows team administrators without the necessary permissions to circumvent restrictions and add users to their team via API requests.

Impact

Exploitation of this vulnerability could lead to unauthorized users being added to teams, potentially allowing them access to sensitive information or discussions.

Remediation

Users can upgrade to Mattermost version 10.11.10 or later to address this vulnerability.

Added: Feb 16, 2026, 2:11 PM

Updated: Feb 16, 2026, 2:11 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.2

remediation

7.7

relevance

3.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.2

remediation

7.7

relevance

3.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost Team Settings Invite Permission Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating