CVE-2025-14573

LOW3.8EPSS 0.03%

Mattermost fails to enforce invite permissions when updating team settings

Published: 2/16/2026Modified: 4/1/2026

Also known as:GHSA-cgjg-p2m2-qm4pGO-2026-4523

Description

Mattermost versions 10.11.x <= 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561

Affected packages (6)

Go/github.com/mattermost/mattermost-server>= 11.1.0
Go/github.com/mattermost/mattermost-serverfrom 0
Go/github.com/mattermost/mattermost-server/v5from 0
Go/github.com/mattermost/mattermost-server/v6from 0
Go/github.com/mattermost/mattermost/server/v8from 0, < 8.0.0-20251215190648-6404ab29acc0
Go/github.com/mattermost/mattermost/server/v8from 0, < 8.0.0-20251215190648-6404ab29acc0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.8	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

References (5)

ADVISORYhttps://github.com/advisories/GHSA-cgjg-p2m2-qm4p
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-14573
PATCHhttps://github.com/mattermost/mattermost
WEBhttps://github.com/mattermost/mattermost/commit/6404ab29acc04901c5cb1cf5ad97fc3c0693e2cd
WEBhttps://mattermost.com/security-updates