Mattermost Team Privacy Settings Vulnerability Allowing Unauthorized Access to Invite IDs

Vulnerability

A vulnerability exists in Mattermost versions 10.7.0, 10.6.2, 10.5.3, and 9.11.12, where the application fails to properly validate permissions when team administrators attempt to change privacy settings. This oversight allows team administrators without the 'invite user' permission to access and modify team invite IDs through the /api/v4/teams/:teamId/privacy endpoint.

Impact

Exploitation of this vulnerability allows unauthorized modification of team invite IDs by administrators lacking the appropriate permissions.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.2

remediation

0.0

relevance

0.1

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.2

remediation

0.0

relevance

0.1

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost Team Privacy Settings Vulnerability Allowing Unauthorized Access to Invite IDs

Vulnerability

Impact

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating