CVE-2024-29221

Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the /api/v4/users/me/teams endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users, even if the "Add Members" permission was explicitly removed from team admins.

Published: Apr 5, 2024
Updated: May 4, 2025
CVE: CVE-2024-29221
GHSA: GHSA-w67v-ph4x-f48q
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 3.8
AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

CWEs:

CWE-284

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
github.com/mattermost/mattermost/server/v8	8.1.0	8.1.11
github.com/mattermost/mattermost/server/v8	9.5.0	9.5.2
github.com/mattermost/mattermost/server/v8	9.4.0	9.4.4
github.com/mattermost/mattermost/server/v8	9.3.0	9.3.3
mattermost / mattermost_server	8.1.0	8.1.11
mattermost / mattermost_server	9.5.0	9.5.2
mattermost / mattermost_server	9.4.0	9.4.4
mattermost / mattermost_server	9.3.0	9.3.3

Vulnerability Database

289,784

CVE-2024-29221