CVE-2025-14573

LOW3.8EPSS 0.03%

Mattermost fails to enforce invite permissions when updating team settings

發布日:2026/2/16修改日:2026/4/1

也稱為:GHSA-cgjg-p2m2-qm4pGO-2026-4523

描述

Mattermost versions 10.11.x <= 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561

受影響套件(6)

Go/github.com/mattermost/mattermost-server>= 11.1.0
Go/github.com/mattermost/mattermost-serverfrom 0
Go/github.com/mattermost/mattermost-server/v5from 0
Go/github.com/mattermost/mattermost-server/v6from 0
Go/github.com/mattermost/mattermost/server/v8from 0, < 8.0.0-20251215190648-6404ab29acc0
Go/github.com/mattermost/mattermost/server/v8from 0, < 8.0.0-20251215190648-6404ab29acc0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	LOW3.8	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

參考連結(5)

ADVISORYhttps://github.com/advisories/GHSA-cgjg-p2m2-qm4p
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-14573
PATCHhttps://github.com/mattermost/mattermost
WEBhttps://github.com/mattermost/mattermost/commit/6404ab29acc04901c5cb1cf5ad97fc3c0693e2cd
WEBhttps://mattermost.com/security-updates