CVE-2025-14573

Name of the Vulnerable Software and Affected Versions Mattermost versions 10.11.0 through 10.11.9

Description Mattermost versions 10.11.x up to and including 10.11.9 do not properly enforce invite permissions when team settings are updated. This allows team administrators lacking the necessary permissions to circumvent restrictions and add users to their team using API requests. The issue involves bypassing intended limitations through the ''/api/teams/{team id}'' endpoint when updating team settings, specifically related to the allow open invite field.

Recommendations Update Mattermost to a version later than 10.11.9.