CVE-2026-32991

Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account...

EUVD-2026-30205

Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account...

CVE-2026-32991

Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account...

CVE-2026-32991

Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account...

CVE-2023-27266 Disclosure of team owner email address when when accessing the teams API

Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the /api/v4/users/me/teams API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response...

CVE-2023-27265 Disclosure of team owner email address when regenerating Invite ID

Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the "Regenerate Invite Id" API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response...

PT-2023-21044 · Unknown · Mattermost

Name of the Vulnerable Software and Affected Versions: Mattermost affected versions not specified Description: The issue concerns the failure of Mattermost to honor the ShowEmailAddress setting when responding to the "Regenerate Invite Id" API endpoint. This allows an attacker with team admin...

Slack: Team admin can change unauthorized team setting (allow_message_deletion)

Team admin can escalate his privileges and change 'allowmessagedeletion' team setting, which can be changed only by a team owner. Steps to reproduce: 1. Log in as team admin. 2. Send the below request using his cookie & token and notice that it changes 'allowmessagedeletion' team setting to true...