Description
Mattermost versions 11.7.x <= 11.7.2, 10.11.x <= 10.11.19 fail to sanitize team objects returned by the scheme teams endpoint, which allows a user with the User Manager role to obtain invite links for private teams and use them to join or share access to those teams via the scheme teams API endpoint.. Mattermost Advisory ID: MMSA-2026-00671
Analysis and contextual insights are available on OpenCVE Cloud.
Remediation
Vendor Solution
Update Mattermost to versions 11.8.0, 11.7.3, 10.11.20 or higher.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
| Link | Providers |
|---|---|
| https://mattermost.com/security-updates |
|
History
Mon, 13 Jul 2026 11:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Mattermost versions 11.7.x <= 11.7.2, 10.11.x <= 10.11.19 fail to sanitize team objects returned by the scheme teams endpoint, which allows a user with the User Manager role to obtain invite links for private teams and use them to join or share access to those teams via the scheme teams API endpoint.. Mattermost Advisory ID: MMSA-2026-00671 | |
| Title | Mattermost schemes teams endpoint exposes private team invite IDs | |
| Weaknesses | CWE-862 | |
| References |
| |
| Metrics |
cvssV3_1
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: Mattermost
Published:
Updated: 2026-07-13T10:51:34.023Z
Reserved: 2026-05-28T11:26:12.173Z
Link: CVE-2026-9820
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses