Home

Description

Mattermost versions 11.7.x <= 11.7.2, 10.11.x <= 10.11.19 fail to sanitize team objects returned by the scheme teams endpoint, which allows a user with the User Manager role to obtain invite links for private teams and use them to join or share access to those teams via the scheme teams API endpoint.. Mattermost Advisory ID: MMSA-2026-00671

PUBLISHED Reserved 2026-05-28 | Published 2026-07-13 | Updated 2026-07-13 | Assigner Mattermost




LOW: 3.8CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Problem types

CWE-862: Missing Authorization

Product status

Default status
unaffected

11.7.0 (semver)
affected

10.11.0 (semver)
affected

11.8.0
unaffected

11.7.3
unaffected

10.11.20
unaffected

Credits

0x7oda7123 finder

References

mattermost.com/security-updates (MMSA-2026-00671) vendor-advisory

cve.org (CVE-2026-9820)

nvd.nist.gov (CVE-2026-9820)

Download JSON