CVE-2026-9820

EUVD-2026-43340
Mattermost versions 11.7.x <= 11.7.2, 10.11.x <= 10.11.19 fail to sanitize team objects returned by the scheme teams endpoint, which allows a user with the User Manager role to obtain invite links for private teams and use them to join or share access to those teams via the scheme teams API endpoint.. Mattermost Advisory ID: MMSA-2026-00671
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
MattermostCNA
3.8 LOW
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
mattermostmattermost_server
10.11.0 ≤
𝑥
< 10.11.20
mattermostmattermost_server
11.7.0 ≤
𝑥
< 11.7.3
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
mattermostmattermost
11.7.0 ≤
𝑥
≤ 11.7.2
CNA
mattermostmattermost
10.11.0 ≤
𝑥
≤ 10.11.19
CNA