CVE-2026-2463

描述

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and register unauthorized accounts via leaked invite IDs during team creation. Mattermost Advisory ID: MMSA-2025-00565

受影響套件(6)

• Go/github.com/mattermost/mattermost-serverfrom 0, < 5.3.2-0.20260105134819-cc427af41b2a
• Go/github.com/mattermost/mattermost-server>= 10.11.0-rc1+incompatible, < 10.11.11+incompatible, >= 11.2.0-rc1+incompatible, < 11.2.3+incompatible, >= 11.3.0-rc1+incompatible, < 11.3.1+incompatible
• Go/github.com/mattermost/mattermost-server/v5from 0
• Go/github.com/mattermost/mattermost-server/v6from 0
• Go/github.com/mattermost/mattermost/server/v8from 0, < 8.0.0-20260105134819-cc427af41b2a
• Go/github.com/mattermost/mattermost/server/v8from 0, < 8.0.0-20260105134819-cc427af41b2a

CVSS 分數

參考連結(5)

• ADVISORYhttps://github.com/advisories/GHSA-fx49-m253-27jj
• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-2463
• PATCHhttps://github.com/mattermost/mattermost
• WEBhttps://github.com/mattermost/mattermost/commit/cc427af41b2a8d3a552d8dc42978831dcfecc1d8
• WEBhttps://mattermost.com/security-updates