Lucene search
K

48 matches found

OSV
OSV
added 2 days ago6 views

GO-2026-5869 Rancher has over-inclusive team membership expansion in GitHub App authentication provider in github.com/rancher/rancher

Rancher has over-inclusive team membership expansion in GitHub App authentication provider in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive...

8.8CVSS5.9AI score0.0037EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 3 days ago11 views

PT-2026-56020

Name of the Vulnerable Software and Affected Versions Coolify versions prior to 4.0.0-beta.471 Description An authenticated command injection exists in the GetLogs Livewire component. Users with team membership, including those with the lowest privilege role, can execute arbitrary commands as roo...

8.8CVSS6.1AI score0.01385EPSS
Exploits0References10
EUVD
EUVD
added 2026/07/01 8:51 p.m.7 views

EUVD-2026-40297

Rancher has over-inclusive team membership expansion in GitHub App authentication provider...

8.8CVSS5.8AI score0.0037EPSS
Exploits0References6
OSV
OSV
added 2026/07/01 8:51 p.m.2 views

GHSA-4J6X-2764-M8GH Rancher has over-inclusive team membership expansion in GitHub App authentication provider

Impact A vulnerability has been identified within Rancher Manager in the GitHub App authentication provider. When evaluating permissions, the provider incorrectly expands user team memberships to include all teams within the associated GitHub organization, rather than restricting access to the...

8.8CVSS5.7AI score0.0037EPSS
Exploits0References7
NVD
NVD
added 2026/06/30 12:16 p.m.8 views

CVE-2026-41053

Incorrect authentication caching in the team member ship expansion of the Rancher Github authentication provider caused it granting principal access to any logged in user, in 2.13 before 2.13.6 and 2.14 before 2.14.2...

8.8CVSS0.0037EPSS
Exploits0References1
CVE
CVE
added 2026/06/30 11:38 a.m.35 views

CVE-2026-41053

CVE-2026-41053 affects Rancher’s GitHub authentication provider, specifically the team membership expansion, where an incorrect authentication caching flaw could grant principal access to any logged-in user. Affected versions are 2.13 prior to 2.13.6 and 2.14 prior to 2.14.2. Root cause: faulty c...

8.8CVSS5.8AI score0.0037EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/06/30 11:38 a.m.34 views

CVE-2026-41053 Over-inclusive team membership expansion in GitHub App authentication provider for Rancher

Incorrect authentication caching in the team member ship expansion of the Rancher Github authentication provider caused it granting principal access to any logged in user, in 2.13 before 2.13.6 and 2.14 before 2.14.2...

8.8CVSS0.0037EPSS
Exploits0References1
OSV
OSV
added 2026/04/24 4:17 p.m.4 views

GHSA-JV9X-W4GM-HWCM Kimai has Missing Object-Level Authorization in the Team API

Summary The Team API endpoints use IsGranted'editteam' instead of IsGranted'edit', 'team', causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with the editteam permission to modify any team, not just teams they are...

3.3CVSS5.8AI score0.00247EPSS
Exploits1References4
EUVD
EUVD
added 2026/03/16 3:30 p.m.4 views

EUVD-2026-12409

Mattermost versions 11.3.x = 11.3.0, 11.2.x = 11.2.2, 10.11.x = 10.11.10 fail to properly validate team membership when searching channels which allows a removed team member to enumerate all public channels within a private team via the channel search API endpoint.. Mattermost Advisory ID:...

4.3CVSS5.8AI score0.00165EPSS
Exploits0References2
NVD
NVD
added 2026/03/16 2:19 p.m.4 views

CVE-2026-2458

Mattermost versions 11.3.x = 11.3.0, 11.2.x = 11.2.2, 10.11.x = 10.11.10 fail to properly validate team membership when searching channels which allows a removed team member to enumerate all public channels within a private team via the channel search API endpoint.. Mattermost Advisory ID:...

4.3CVSS0.00165EPSS
Exploits0References1
OSV
OSV
added 2026/03/16 11:27 a.m.4 views

CVE-2026-2458 Unauthorized channel enumeration in private teams after member removal

Mattermost versions 11.3.x = 11.3.0, 11.2.x = 11.2.2, 10.11.x = 10.11.10 fail to properly validate team membership when searching channels which allows a removed team member to enumerate all public channels within a private team via the channel search API endpoint.. Mattermost Advisory ID:...

4.3CVSS6.3AI score0.00165EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/03/16 11:27 a.m.6 views

CVE-2026-2458

Mattermost versions 11.3.x = 11.3.0, 11.2.x = 11.2.2, 10.11.x = 10.11.10 fail to properly validate team membership when searching channels which allows a removed team member to enumerate all public channels within a private team via the channel search API endpoint.. Mattermost Advisory ID:...

4.3CVSS5.8AI score0.00165EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/16 12:0 a.m.4 views

PT-2026-25684

Mattermost allows a removed team member to enumerate all public channels within a private team in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causi...

4.3CVSS5.8AI score0.00165EPSS
Exploits0References8
OSV
OSV
added 2026/02/23 6:23 p.m.8 views

GO-2026-4521 Mattermost fails to properly validate team membership when processing channel mentions in github.com/mattermost/mattermost-server

Mattermost fails to properly validate team membership when processing channel mentions in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing...

4.3CVSS5.5AI score0.00162EPSS
Exploits0References4
OSV
OSV
added 2026/02/16 3:32 p.m.2 views

GHSA-57CC-2PF4-MHMX Mattermost fails to properly validate team membership when processing channel mentions

Mattermost versions 11.1.x = 11.1.2, 10.11.x = 10.11.9, 11.2.x = 11.2.1 fail to properly validate team membership when processing channel mentions which allows authenticated users to determine the existence of teams and their URL names via posting channel shortlinks and observing the...

4.3CVSS5.9AI score0.00162EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/02/16 3:32 p.m.7 views

Mattermost fails to properly validate team membership when processing channel mentions

Mattermost versions 11.1.x = 11.1.2, 10.11.x = 10.11.9, 11.2.x = 11.2.1 fail to properly validate team membership when processing channel mentions which allows authenticated users to determine the existence of teams and their URL names via posting channel shortlinks and observing the...

4.3CVSS5.5AI score0.00162EPSS
Exploits0References4Affected Software2
NVD
NVD
added 2026/02/16 1:15 p.m.6 views

CVE-2025-14350

Mattermost versions 11.1.x = 11.1.2, 10.11.x = 10.11.9, 11.2.x = 11.2.1 fail to properly validate team membership when processing channel mentions which allows authenticated users to determine the existence of teams and their URL names via posting channel shortlinks and observing the...

4.3CVSS0.00162EPSS
Exploits0References1
OSV
OSV
added 2026/02/16 12:5 p.m.5 views

CVE-2025-14350 Information disclosure via channel mentions in posts

Mattermost versions 11.1.x = 11.1.2, 10.11.x = 10.11.9, 11.2.x = 11.2.1 fail to properly validate team membership when processing channel mentions which allows authenticated users to determine the existence of teams and their URL names via posting channel shortlinks and observing the...

4.3CVSS6AI score0.00162EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/02/16 12:5 p.m.4 views

CVE-2025-14350 Information disclosure via channel mentions in posts

Mattermost versions 11.1.x = 11.1.2, 10.11.x = 10.11.9, 11.2.x = 11.2.1 fail to properly validate team membership when processing channel mentions which allows authenticated users to determine the existence of teams and their URL names via posting channel shortlinks and observing the...

4.3CVSS5.5AI score0.00162EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/02/16 12:5 p.m.3 views

CVE-2025-14350

Mattermost versions 11.1.x = 11.1.2, 10.11.x = 10.11.9, 11.2.x = 11.2.1 fail to properly validate team membership when processing channel mentions which allows authenticated users to determine the existence of teams and their URL names via posting channel shortlinks and observing the...

4.3CVSS5.5AI score0.00162EPSS
Exploits0References2Affected Software1
Rows per page
Query Builder