PatchSiren cyber security CVE debrief
CVE-2026-9820 Mattermost CVE debrief
CVE-2026-9820 is a low-severity vulnerability affecting Mattermost versions 11.7.x <= 11.7.2 and 10.11.x <= 10.11.19. The issue arises from the failure to sanitize team objects returned by the scheme teams endpoint, enabling users with the User Manager role to obtain invite links for private teams and use them to join or share access to those teams via the scheme teams API endpoint. The vulnerability has a CVSS score of 3.8 and a severity of LOW.
- Vendor
- Mattermost
- Product
- Unknown
- CVSS
- LOW 3.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-13
- Original CVE updated
- 2026-07-13
- Advisory published
- 2026-07-13
- Advisory updated
- 2026-07-13
Who should care
Users of Mattermost versions 11.7.x <= 11.7.2 and 10.11.x <= 10.11.19, particularly those with the User Manager role, should be aware of this vulnerability and take steps to mitigate its impact. The vulnerability allows users with the User Manager role to access invite links for private teams and use them to join or share access to those teams.
Technical summary
The vulnerability is caused by inadequate sanitization of team objects returned by the scheme teams endpoint in Mattermost. This allows users with the User Manager role to access invite links for private teams and use them to join or share access to those teams. The issue has been identified in Mattermost versions 11.7.x <= 11.7.2 and 10.11.x <= 10.11.19. The vulnerability has a CVSS score of 3.8 and a severity of LOW.
Defensive priority
Low
Recommended defensive actions
- Update Mattermost to a version that addresses this vulnerability
- Restrict access to the scheme teams endpoint for users with the User Manager role
- Monitor for suspicious activity related to team invite links
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-07-13T11:16:28.203Z and has not been modified since then. The NVD entry is currently in the 'Received' status. The vulnerability affects Mattermost versions 11.7.x <= 11.7.2 and 10.11.x <= 10.11.19. Users with the User Manager role can obtain invite links for private teams and use them to join or share access to those teams via the scheme teams API endpoint. The issue arises from the failure to sanitize team objects returned by the scheme teams endpoint.
Official resources
-
CVE-2026-9820 CVE record
CVE.org
-
CVE-2026-9820 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T11:16:28.203Z and has not been modified since then. The NVD entry is currently in the 'Received' status.