CVE-2025-14573: Mattermost fails to enforce invite permissions when updating team settings

February 16, 2026 (updated February 19, 2026)

Mattermost versions 10.11.x <= 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561

References

github.com/advisories/GHSA-cgjg-p2m2-qm4p
github.com/mattermost/mattermost
github.com/mattermost/mattermost/commit/6404ab29acc04901c5cb1cf5ad97fc3c0693e2cd
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2025-14573

Code Behaviors & Features

Detect and mitigate CVE-2025-14573 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →