Primary

Context

Mattermost Invite Permission Vulnerability in Team Privacy Settings

Vulnerability

Patched

A vulnerability exists in Mattermost versions 9.11.x prior to 9.11.5, allowing team admins without invitation permissions to invite users. This is achieved by changing the 'allow_open_invite' field after making their team public, thereby bypassing permission restrictions.

Impact

Exploitation of this vulnerability could lead to unauthorized user invitations, allowing invited users to join teams where they would not typically be permitted.

Remediation

Users can upgrade to Mattermost version 10.9.010.5.69.11.1610.8.110.7.310.6.6 to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.2

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.2

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost Invite Permission Vulnerability in Team Privacy Settings

Vulnerability

Impact

Remediation

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating