CVE-2026-2463Missing Authorization in Mattermost Mattermost-server

CWE-862Missing Authorization6 documents5 sources
Severity
4.3MEDIUMNVD
EPSS
0.0%
top 93.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Github.com Mattermost Mattermost-serverGithub.com Mattermost Mattermost Server V8Mattermost Server+1 more
Timeline
PublishedMar 16
Latest updateMar 23

Description

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and register unauthorized accounts via leaked invite IDs during team creation.. Mattermost Advisory ID: MMSA-2025-00565

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

NVDmattermost/mattermost_server10.11.010.11.11+2
Gogithub.com/mattermost_mattermost-server10.11.0-rc1+incompatible10.11.11+incompatible+6
Gogithub.com/mattermost_mattermost_server_v8< 8.0.0-20260105134819-cc427af41b2a
CVEListV5mattermost/mattermost11.3.011.3.0+2

🔴Vulnerability Details

4
OSV
Mattermost fails to filter invite IDs based on user permissions in github.com/mattermost/mattermost-server2026-03-23
CVEList
Unauthorized access to invite ID during team creation2026-03-16
GHSA
Mattermost fails to filter invite IDs based on user permissions2026-03-16
OSV
Mattermost fails to filter invite IDs based on user permissions2026-03-16

🕵️Threat Intelligence

1
Wiz
CVE-2026-2463 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-2463 — Missing Authorization | cvebase