CVE-2024-40884

Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to properly enforce permissions which allows a team admin user without "Add Team Members" permission to disable the invite URL.

Published: Aug 22, 2024
Updated: May 4, 2025
CVE: CVE-2024-40884
GHSA: GHSA-3j95-8g47-fpwh
Severity: Low
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

CWEs:

CWE-284

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
github.com/mattermost/mattermost/server/v8	9.5.0	9.5.8
github.com/mattermost/mattermost/server/v8	9.10.0	9.10.1
mattermost / mattermost_server	9.5.0	9.5.8
mattermost / mattermost_server	9.10.0	9.10.0.x

https://mattermost.com/security-updates

Vulnerability Database

289,784

CVE-2024-40884