CVE-2026-2463: Mattermost fails to filter invite IDs based on user permissions

March 16, 2026 (updated March 17, 2026)

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and register unauthorized accounts via leaked invite IDs during team creation. Mattermost Advisory ID: MMSA-2025-00565

References

github.com/advisories/GHSA-fx49-m253-27jj
github.com/mattermost/mattermost
github.com/mattermost/mattermost/commit/cc427af41b2a8d3a552d8dc42978831dcfecc1d8
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2026-2463

Code Behaviors & Features

Detect and mitigate CVE-2026-2463 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →