CVE-2025-22449 Access control flaw for team admins allows unauthorized team additions

Mattermost versions 9.11.x = 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allowopeninvite" field via making their team public...

CVE-2024-47145 Unauthorized access on archived channels via file links

Mattermost versions 9.5.x = 9.5.8 fail to properly authorize access to archived channels when viewing archived channels is disabled, which allows an attacker to view posts and files of archived channels via file links...