CVE-2025-22449

CVSS v3.1

3.8

Low

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Mattermost versions 9.11.0 through 9.11.5

Description The issue is related to the failure of Mattermost to enforce invite permissions. This allows team admins, who do not have permission to invite users to their team, to invite users by making their team public and updating the allow open invite field.

Recommendations For Mattermost versions 9.11.0 through 9.11.5, update to version 9.11.6 or later to resolve the issue. As a temporary workaround, consider restricting the ability of team admins to make their teams public until a patch is available. Restrict access to the allow open invite field to minimize the risk of exploitation.

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

CVE-2025-22449

GHSA-Q8FG-CP3Q-5JWM

GO-2025-3377

OPENSUSE-SU-2025:14644-1

OPENSUSE-SU-2025_0297-1

SUSE-SU-2025:0297-1

Affected Products

Mattermost

Suse

CVE-2025-22449

Weakness Enumeration

Related Identifiers

Affected Products

References · 48