Mattermost Permission Bypass Vulnerability Allowing Unauthorized Guest User Invites

Vulnerability

A vulnerability exists in Mattermost versions 10.6.x through 10.6.1, 10.5.x through 10.5.2, 10.4.x through 10.4.4, and 9.11.x through 9.11.11. The issue arises from improper permission checks, which enable authenticated users with the ability to invite non-guest users to a team to instead add guest users via the API. This exploitation allows the addition of a single user to a team, bypassing the intended permission restrictions.

Impact

Exploitation of this vulnerability allows for unauthorized addition of guest users to teams, potentially leading to misuse of team resources or information.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.2

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.2

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost Permission Bypass Vulnerability Allowing Unauthorized Guest User Invites

Vulnerability

Impact

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating