Mattermost versions 11.7.x <= 11.7.2, 10.11.x <= 10.11.19 fail to sanitize team objects returned by the scheme teams endpoint, which allows a user with the User Manager role to obtain invite links for private teams and use them to join or share access to those teams via the scheme teams API endpoint.. Mattermost Advisory ID: MMSA-2026-00671
Metrics
Affected Vendors & Products
References
| Link | Providers |
|---|---|
| https://mattermost.com/security-updates |
|
History
Mon, 13 Jul 2026 11:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Mattermost versions 11.7.x <= 11.7.2, 10.11.x <= 10.11.19 fail to sanitize team objects returned by the scheme teams endpoint, which allows a user with the User Manager role to obtain invite links for private teams and use them to join or share access to those teams via the scheme teams API endpoint.. Mattermost Advisory ID: MMSA-2026-00671 | |
| Title | Mattermost schemes teams endpoint exposes private team invite IDs | |
| Weaknesses | CWE-862 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: Mattermost
Published:
Updated: 2026-07-13T10:51:34.023Z
Reserved: 2026-05-28T11:26:12.173Z
Link: CVE-2026-9820
No data.
No data.
No data.
OpenCVE Enrichment
No data.