{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2463", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2026-02-13T11:32:02.091Z", "datePublished": "2026-03-16T11:13:57.575Z", "dateUpdated": "2026-03-16T13:49:58.332Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "11.3.0", "status": "affected", "version": "11.3.0", "versionType": "semver"}, {"lessThanOrEqual": "11.2.2", "status": "affected", "version": "11.2.0", "versionType": "semver"}, {"lessThanOrEqual": "10.11.10", "status": "affected", "version": "10.11.0", "versionType": "semver"}, {"version": "11.4.0", "status": "unaffected"}, {"version": "11.3.1", "status": "unaffected"}, {"version": "11.2.3", "status": "unaffected"}, {"version": "10.11.11", "status": "unaffected"}]}], "credits": [{"lang": "en", "type": "finder", "value": "omarAhmed1"}], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and register unauthorized accounts via leaked invite IDs during team creation.. Mattermost Advisory ID: MMSA-2025-00565"}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseSeverity": "MEDIUM", "baseScore": 4.3}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-862: Missing Authorization", "cweId": "CWE-862"}]}], "references": [{"url": "https://mattermost.com/security-updates", "name": "MMSA-2025-00565", "tags": ["vendor-advisory"]}], "solutions": [{"value": "Update Mattermost to versions 11.4.0, 11.3.1, 11.2.3, 10.11.11 or higher.", "lang": "en"}], "source": {"advisory": "MMSA-2025-00565", "defect": ["https://mattermost.atlassian.net/browse/MM-66826"], "discovery": "EXTERNAL"}, "title": "Unauthorized access to invite ID during team creation", "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2026-03-16T11:13:57.575Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2463", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T13:42:48.601175Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T13:49:58.332Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2463", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T13:42:48.601175Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T13:44:19.874Z"}}], "cna": {"title": "Unauthorized access to invite ID during team creation", "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-66826"], "advisory": "MMSA-2025-00565", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "omarAhmed1"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mattermost", "product": "Mattermost", "versions": [{"status": "affected", "version": "11.3.0", "versionType": "semver", "lessThanOrEqual": "11.3.0"}, {"status": "affected", "version": "11.2.0", "versionType": "semver", "lessThanOrEqual": "11.2.2"}, {"status": "affected", "version": "10.11.0", "versionType": "semver", "lessThanOrEqual": "10.11.10"}, {"status": "unaffected", "version": "11.4.0"}, {"status": "unaffected", "version": "11.3.1"}, {"status": "unaffected", "version": "11.2.3"}, {"status": "unaffected", "version": "10.11.11"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update Mattermost to versions 11.4.0, 11.3.1, 11.2.3, 10.11.11 or higher."}], "references": [{"url": "https://mattermost.com/security-updates", "name": "MMSA-2025-00565", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and register unauthorized accounts via leaked invite IDs during team creation.. Mattermost Advisory ID: MMSA-2025-00565"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2026-03-16T11:13:57.575Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2463", "state": "PUBLISHED", "dateUpdated": "2026-03-16T13:49:58.332Z", "dateReserved": "2026-02-13T11:32:02.091Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2026-03-16T11:13:57.575Z", "assignerShortName": "Mattermost"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "B6E5F368-358C-429B-8F04-3C8DF4A71A91", "versionEndExcluding": "10.11.11", "versionStartIncluding": "10.11.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "7F64C167-943D-4F3F-9374-BCC8DECB3881", "versionEndExcluding": "11.2.3", "versionStartIncluding": "11.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "945A6E29-209F-4992-8692-BEF63DCB6B98", "versionEndExcluding": "11.3.1", "versionStartIncluding": "11.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and register unauthorized accounts via leaked invite IDs during team creation.. Mattermost Advisory ID: MMSA-2025-00565"}, {"lang": "es", "value": "Las versiones de Mattermost 11.3.x &lt;= 11.3.0, 11.2.x &lt;= 11.2.2, 10.11.x &lt;= 10.11.10 no filtran los ID de invitaci\u00f3n bas\u00e1ndose en los permisos de usuario, lo que permite a los usuarios regulares eludir las restricciones de control de acceso y registrar cuentas no autorizadas a trav\u00e9s de ID de invitaci\u00f3n filtrados durante la creaci\u00f3n de equipos. ID de Aviso de Mattermost: MMSA-2025-00565"}], "id": "CVE-2026-2463", "lastModified": "2026-03-18T17:43:26.553", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}, "published": "2026-03-16T14:19:30.193", "references": [{"source": "responsibledisclosure@mattermost.com", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,11.3.0]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,11.2.2]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,10.11.10]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "11.4.0"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "11.3.1"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "11.2.3"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "10.11.11"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Mattermost", "source": "cna", "vendor": "Mattermost"}, "product": "mattermost", "vendor": "mattermost"}, {"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "server", "vendor": "mattermost"}], "analysis": {"en": {"generated_at": "2026-03-18T18:53:14.529994+00:00", "value": {"mitigation_remediation": ["Apply the vendor update to Mattermost Server version 11.4.0, 11.3.1, 11.2.3, 10.11.11, or any later release", "Verify that the updated version is running by checking the server version information"], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access Control Bypass allowing creation of user accounts via exposed invite IDs"}, "threat_synthesis": {"affected_systems": "All Mattermost Server releases with versions 11.3.x up to and including 11.3.0, 11.2.x up to and including 11.2.2, and 10.11.x up to and including 10.11.10 are affected. The vendor recommends upgrading to any release newer than these, such as 11.4.0, 11.3.1, 11.2.3, or 10.11.11.", "description_and_impact": "Mattermost server versions that do not filter invite IDs according to user permissions allow any logged\u2011in user to supply a leaked invite token and create a new account that is not intended to belong to a specific team. This flaw provides an unauthorized user with the ability to add themselves or others to teams, thereby compromising the integrity and confidentiality of team membership. The weakness is classified as CWE-862, Improper Authorization.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate severity, while the EPSS score of less than 1% suggests that real\u2011world exploitation is unlikely at this time. The vulnerability is not listed in the CISA KEV catalog. Exploitation does not require elevated privileges beyond a normal user account; an attacker who can access a valid invite ID can directly create an unauthorized account during team creation. Although the risk is moderate, the potential to manipulate team composition can be critical for organizations with strict access controls."}}}}, "created": "2026-03-24T10:44:58.675449+00:00", "updated": "2026-03-30T07:02:47.262196+00:00", "vendors": ["mattermost", "mattermost$PRODUCT$mattermost", "mattermost$PRODUCT$server"]}