Back to overview

CVE-2026-9820

LOW
3.8
CVSS 3.1
Description
Mattermost versions 11.7.x <= 11.7.2, 10.11.x <= 10.11.19 fail to sanitize team objects returned by the scheme teams endpoint, which allows a user with the User Manager role to obtain invite links for private teams and use them to join or share access to those teams via the scheme teams API endpoint.. Mattermost Advisory ID: MMSA-2026-00671

Metadata

CVE ID
CVE-2026-9820
State
PUBLISHED
Assigner
Mattermost
Reserved
2026-05-28 11:26 UTC
Published
2026-07-13 10:51 UTC
Last updated
2026-07-13 13:09 UTC
Primary CWE
CWE-862
CWE-862: Missing Authorization
Vendor / Product
Mattermost / Mattermost
Sources
cve.org  ·  NVD

Severity & Metrics

3.8 LOW CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
Mattermost Mattermost 11.7.0 ≤ 11.7.2, 10.11.0 ≤ 10.11.19, 11.8.0, 11.7.3 …
Weakness (CWE)
CWESourceDescription
CWE-862 cna CWE-862: Missing Authorization
CVSS scores (1)
ScoreSeverityVersionSourceVector
3.8 LOW 3.1 cna CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
References (1)
Back to overview