Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allow_open_invite" field via making their team public.

Affected Packages

Go github.com/mattermost/mattermost/server/v8

Affected versions: 9.11.0 (fixed in 9.11.6)

Go github.com/mattermost/mattermost/server/v8

Affected versions: 0 (fixed in 8.0.0-20250102081831-64c566a8280b)

Related CVEs

CVE-2025-22449

Key Information

GHSA ID

GHSA-q8fg-cp3q-5jwm

Published

January 9, 2025 9:31 AM

Last Modified

January 16, 2025 2:03 PM

CVSS Score

2.5 /10

Primary Ecosystem

Primary Package

github.com/mattermost/mattermost/server/v8

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 1, 2025 6:44 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.