CVE-2026-2463 MEDIUM

CVE-2026-2463: Unauthorized access to invite ID during team creation

Vendor Mattermost
Product Mattermost
Weakness CWE-862 · Missing authorization
Published March 16, 2026
Last update March 16, 2026
View on NVD All CVEs

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and register unauthorized accounts via leaked invite IDs during team creation.. Mattermost Advisory ID: MMSA-2025-00565

Key dates

02Disclosure timeline

March 16, 2026 CVE published
March 16, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-54741 WordPress Super Blank Plugin <= 1.2.0 - Arbitrary Content Deletion Vulnerability CVE-2025-13666 Helloprint <= 2.1.2 - Missing Authorization to Unauthenticated Arbitrary Order Status Modification CVE-2023-40004 Unauth. Access Token Manipulation vulnerability in multiple ServMask WordPress plugins CVE-2026-35621 OpenClaw < 2026.3.24 - Privilege Escalation via chat.send to Allowlist Persistence CVE-2024-7767 Improper Access Control in danswer-ai/danswer