Mattermost versions 11.7.x <= 11.7.2, 10.11.x <= 10.11.19 fail to sanitize team objects returned by the scheme teams endpoint, which allows a user with the User Manager role to obtain invite links for private teams and use them to join or share access to those teams via the scheme teams API endpoint.. Mattermost Advisory ID: MMSA-2026-00671
Project Subscriptions
No data.
Advisories
No advisories yet.
Fixes
Solution
Update Mattermost to versions 11.8.0, 11.7.3, 10.11.20 or higher.
Workaround
No workaround given by the vendor.
References
| Link | Providers |
|---|---|
| https://mattermost.com/security-updates |
|
History
Mon, 13 Jul 2026 11:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Mattermost versions 11.7.x <= 11.7.2, 10.11.x <= 10.11.19 fail to sanitize team objects returned by the scheme teams endpoint, which allows a user with the User Manager role to obtain invite links for private teams and use them to join or share access to those teams via the scheme teams API endpoint.. Mattermost Advisory ID: MMSA-2026-00671 | |
| Title | Mattermost schemes teams endpoint exposes private team invite IDs | |
| Weaknesses | CWE-862 | |
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: Mattermost
Published:
Updated: 2026-07-13T10:51:34.023Z
Reserved: 2026-05-28T11:26:12.173Z
Link: CVE-2026-9820
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses