CVE-2025-14573 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2025-14573

CVE-2025-14573

February 16, 2026

Mattermost versions 10.11.x <= 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561

Affected Packages

github.com/mattermost/mattermost (GO):

Affected version(s) >=v10.11.0 <v10.11.10

Fix Suggestion:

Update to version v10.11.10

github.com/mattermost/mattermost/server/v8 (GO):

Affected version(s) >=v8.0.0-20230429093631-aac4f2337933 <v8.0.0-20251215190648-6404ab29acc0

Fix Suggestion:

Update to version v8.0.0-20251215190648-6404ab29acc0

Related Resources (5)

https://github.com/advisories/GHSA-cgjg-p2m2-qm4p

https://github.com/mattermost/mattermost/commit/6404ab29acc04901c5cb1cf5ad97fc3c0693e2cd

https://mattermost.com/security-updates

https://github.com/mattermost/mattermost

https://nvd.nist.gov/vuln/detail/CVE-2025-14573

Do you need more information?

CVSS v4

Base Score:

5.1

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

HIGH

User Interaction

NONE

Vulnerable System Confidentiality

LOW

Vulnerable System Integrity

LOW

Vulnerable System Availability

NONE

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

3.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Weakness Type (CWE)

Missing Authorization

CWE-862

EPSS

Base Score:

0.03

Products

Solutions

Resources

Company

Compare

Developer Tools