2 matches found
CVE-2025-22449 Access control flaw for team admins allows unauthorized team additions
Mattermost versions 9.11.x = 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allowopeninvite" field via making their team public...
CVE-2025-22449
Mattermost Server 9.11.x ≤ 9.11.5 suffers an improper access-control flaw where team admins lacking invite permission can add users by toggling the allow_open_invite flag when a team is made public. Root cause: failure to enforce invite permissions. Affected feature/file: invite mechanism via all...