PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9820 Mattermost CVE debrief

CVE-2026-9820 is a low-severity vulnerability affecting Mattermost versions 11.7.x <= 11.7.2 and 10.11.x <= 10.11.19. The issue arises from the failure to sanitize team objects returned by the scheme teams endpoint, enabling users with the User Manager role to obtain invite links for private teams and use them to join or share access to those teams via the scheme teams API endpoint. The vulnerability has a CVSS score of 3.8 and a severity of LOW.

Vendor
Mattermost
Product
Unknown
CVSS
LOW 3.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-13
Original CVE updated
2026-07-13
Advisory published
2026-07-13
Advisory updated
2026-07-13

Who should care

Users of Mattermost versions 11.7.x <= 11.7.2 and 10.11.x <= 10.11.19, particularly those with the User Manager role, should be aware of this vulnerability and take steps to mitigate its impact. The vulnerability allows users with the User Manager role to access invite links for private teams and use them to join or share access to those teams.

Technical summary

The vulnerability is caused by inadequate sanitization of team objects returned by the scheme teams endpoint in Mattermost. This allows users with the User Manager role to access invite links for private teams and use them to join or share access to those teams. The issue has been identified in Mattermost versions 11.7.x <= 11.7.2 and 10.11.x <= 10.11.19. The vulnerability has a CVSS score of 3.8 and a severity of LOW.

Defensive priority

Low

Recommended defensive actions

  • Update Mattermost to a version that addresses this vulnerability
  • Restrict access to the scheme teams endpoint for users with the User Manager role
  • Monitor for suspicious activity related to team invite links
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-13T11:16:28.203Z and has not been modified since then. The NVD entry is currently in the 'Received' status. The vulnerability affects Mattermost versions 11.7.x <= 11.7.2 and 10.11.x <= 10.11.19. Users with the User Manager role can obtain invite links for private teams and use them to join or share access to those teams via the scheme teams API endpoint. The issue arises from the failure to sanitize team objects returned by the scheme teams endpoint.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T11:16:28.203Z and has not been modified since then. The NVD entry is currently in the 'Received' status.