GHSA-fx49-m253-27jj

Source

https://github.com/advisories/GHSA-fx49-m253-27jj

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-fx49-m253-27jj/GHSA-fx49-m253-27jj.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-fx49-m253-27jj

Aliases

Published

2026-03-16T15:30:43Z

Modified

2026-03-23T18:56:08.610141Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Mattermost fails to filter invite IDs based on user permissions

Details

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and register unauthorized accounts via leaked invite IDs during team creation. Mattermost Advisory ID: MMSA-2025-00565

Database specific

{
    "nvd_published_at": "2026-03-16T14:19:30Z",
    "severity": "MODERATE",
    "github_reviewed_at": "2026-03-17T20:02:22Z",
    "cwe_ids": [
        "CWE-862"
    ],
    "github_reviewed": true
}

References

Affected packages

github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.0.0-20260105134819-cc427af41b2a

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-fx49-m253-27jj/GHSA-fx49-m253-27jj.json"

github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.3.2-0.20260105134819-cc427af41b2a

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-fx49-m253-27jj/GHSA-fx49-m253-27jj.json"

github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

10.11.0-rc1

Fixed

10.11.11

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-fx49-m253-27jj/GHSA-fx49-m253-27jj.json"

github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

11.2.0-rc1

Fixed

11.2.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-fx49-m253-27jj/GHSA-fx49-m253-27jj.json"

github.com/mattermost/mattermost-server

Package

Name: github.com/mattermost/mattermost-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost-server

Affected ranges

Type: SEMVER
Events: Introduced

11.3.0-rc1

Fixed

11.3.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-fx49-m253-27jj/GHSA-fx49-m253-27jj.json"