CVE-2025-14573 — Missing Authorization in Mattermost Mattermost-server

CWE-862 — Missing Authorization6 documents5 sources

Severity

2.7LOWNVD

CNA3.8

EPSS

0.0%

top 91.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server Github.com Mattermost Mattermost Server V8 Mattermost Server +1 more

Timeline

PublishedFeb 16

Latest updateFeb 23

Description

Mattermost versions 10.11.x <= 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:NExploitability: 1.2 | Impact: 1.4

Affected Packages4 packages

▶NVDmattermost/mattermost_server10.11.0 — 10.11.10

▶Gogithub.com/mattermost_mattermost-server< 5.3.2-0.20251215190648-6404ab29acc0+6

▶Gogithub.com/mattermost_mattermost_server_v8< 8.0.0-20251215190648-6404ab29acc0

▶CVEListV5mattermost/mattermost10.11.0 — 10.11.9

🔴Vulnerability Details

OSV

Mattermost fails to enforce invite permissions when updating team settings in github.com/mattermost/mattermost-server↗2026-02-23

▶

CVEList

Team Admin Bypass of Invite Permissions via allow_open_invite Field↗2026-02-16

▶

GHSA

Mattermost fails to enforce invite permissions when updating team settings↗2026-02-16

▶

OSV

Mattermost fails to enforce invite permissions when updating team settings↗2026-02-16

▶

🕵️Threat Intelligence

Wiz

CVE-2025-14573 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶