{"api_version":"1","generated_at":"2026-07-13T12:40:31+00:00","cve":"CVE-2026-9820","urls":{"html":"https://cve.report/CVE-2026-9820","api":"https://cve.report/api/cve/CVE-2026-9820.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-9820","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-9820"},"summary":{"title":"Mattermost schemes teams endpoint exposes private team invite IDs","description":"Mattermost versions 11.7.x <= 11.7.2, 10.11.x <= 10.11.19 fail to sanitize team objects returned by the scheme teams endpoint, which allows a user with the User Manager role to obtain invite links for private teams and use them to join or share access to those teams via the scheme teams API endpoint.. Mattermost Advisory ID: MMSA-2026-00671","state":"PUBLISHED","assigner":"Mattermost","published_at":"2026-07-13 11:16:28","updated_at":"2026-07-13 11:16:28"},"problem_types":["CWE-862","CWE-862 CWE-862: Missing Authorization"],"metrics":[{"version":"3.1","source":"responsibledisclosure@mattermost.com","type":"Secondary","score":"3.8","severity":"LOW","vector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N","baseScore":3.8,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"3.8","severity":"LOW","vector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":3.8,"baseSeverity":"LOW","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N","version":"3.1"}}],"references":[{"url":"https://mattermost.com/security-updates","name":"https://mattermost.com/security-updates","refsource":"responsibledisclosure@mattermost.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-9820","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-9820","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Mattermost","product":"Mattermost","version":"affected 11.7.0 11.7.2 semver","platforms":[]},{"source":"CNA","vendor":"Mattermost","product":"Mattermost","version":"affected 10.11.0 10.11.19 semver","platforms":[]},{"source":"CNA","vendor":"Mattermost","product":"Mattermost","version":"unaffected 11.8.0","platforms":[]},{"source":"CNA","vendor":"Mattermost","product":"Mattermost","version":"unaffected 11.7.3","platforms":[]},{"source":"CNA","vendor":"Mattermost","product":"Mattermost","version":"unaffected 10.11.20","platforms":[]}],"timeline":[],"solutions":[{"source":"CNA","title":"","value":"Update Mattermost to versions 11.8.0, 11.7.3, 10.11.20 or higher.","time":"","lang":"en"}],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"0x7oda7123","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Mattermost","vendor":"Mattermost","versions":[{"lessThanOrEqual":"11.7.2","status":"affected","version":"11.7.0","versionType":"semver"},{"lessThanOrEqual":"10.11.19","status":"affected","version":"10.11.0","versionType":"semver"},{"status":"unaffected","version":"11.8.0"},{"status":"unaffected","version":"11.7.3"},{"status":"unaffected","version":"10.11.20"}]}],"credits":[{"lang":"en","type":"finder","value":"0x7oda7123"}],"descriptions":[{"lang":"en","value":"Mattermost versions 11.7.x <= 11.7.2, 10.11.x <= 10.11.19 fail to sanitize team objects returned by the scheme teams endpoint, which allows a user with the User Manager role to obtain invite links for private teams and use them to join or share access to those teams via the scheme teams API endpoint.. Mattermost Advisory ID: MMSA-2026-00671"}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":3.8,"baseSeverity":"LOW","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-862","description":"CWE-862: Missing Authorization","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-13T10:51:34.023Z","orgId":"9302f53e-dde5-4bf3-b2f2-a83f91ac0eee","shortName":"Mattermost"},"references":[{"name":"MMSA-2026-00671","tags":["vendor-advisory"],"url":"https://mattermost.com/security-updates"}],"solutions":[{"lang":"en","value":"Update Mattermost to versions 11.8.0, 11.7.3, 10.11.20 or higher."}],"source":{"advisory":"MMSA-2026-00671","defect":["https://mattermost.atlassian.net/browse/MM-68824"],"discovery":"EXTERNAL"},"title":"Mattermost schemes teams endpoint exposes private team invite IDs","x_generator":{"engine":"cvelib 1.8.0"}}},"cveMetadata":{"assignerOrgId":"9302f53e-dde5-4bf3-b2f2-a83f91ac0eee","assignerShortName":"Mattermost","cveId":"CVE-2026-9820","datePublished":"2026-07-13T10:51:34.023Z","dateReserved":"2026-05-28T11:26:12.173Z","dateUpdated":"2026-07-13T10:51:34.023Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-13 11:16:28","lastModifiedDate":"2026-07-13 11:16:28","problem_types":["CWE-862","CWE-862 CWE-862: Missing Authorization"],"metrics":{"cvssMetricV31":[{"source":"responsibledisclosure@mattermost.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N","baseScore":3.8,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":1.2,"impactScore":2.5}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"9820","Ordinal":"1","Title":"Mattermost schemes teams endpoint exposes private team invite ID","CVE":"CVE-2026-9820","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"9820","Ordinal":"1","NoteData":"Mattermost versions 11.7.x <= 11.7.2, 10.11.x <= 10.11.19 fail to sanitize team objects returned by the scheme teams endpoint, which allows a user with the User Manager role to obtain invite links for private teams and use them to join or share access to those teams via the scheme teams API endpoint.. Mattermost Advisory ID: MMSA-2026-00671","Type":"Description","Title":"Mattermost schemes teams endpoint exposes private team invite ID"}]}}}