Vulnerability Details CVE-2026-2463
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and register unauthorized accounts via leaked invite IDs during team creation.. Mattermost Advisory ID: MMSA-2025-00565
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 5.2%
CVSS Severity
CVSS v3 Score 4.3
References
Products affected by CVE-2026-2463
-
cpe:2.3:a:mattermost:mattermost_server:10.11.0
-
cpe:2.3:a:mattermost:mattermost_server:10.11.1
-
cpe:2.3:a:mattermost:mattermost_server:10.11.10
-
cpe:2.3:a:mattermost:mattermost_server:10.11.2
-
cpe:2.3:a:mattermost:mattermost_server:10.11.3
-
cpe:2.3:a:mattermost:mattermost_server:10.11.4
-
cpe:2.3:a:mattermost:mattermost_server:10.11.5
-
cpe:2.3:a:mattermost:mattermost_server:10.11.6
-
cpe:2.3:a:mattermost:mattermost_server:10.11.7
-
cpe:2.3:a:mattermost:mattermost_server:10.11.8
-
cpe:2.3:a:mattermost:mattermost_server:10.11.9
-
cpe:2.3:a:mattermost:mattermost_server:11.2.0
-
cpe:2.3:a:mattermost:mattermost_server:11.2.1
-
cpe:2.3:a:mattermost:mattermost_server:11.2.2
-
cpe:2.3:a:mattermost:mattermost_server:11.3.0