CVE-2017-18902: Mattermost Server exposes team invite IDs through API endpoints

May 24, 2022 (updated December 3, 2025)

An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API endpoints.

References

github.com/advisories/GHSA-jwfv-5hwq-f97r
github.com/mattermost/mattermost
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2017-18902

Code Behaviors & Features

Detect and mitigate CVE-2017-18902 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →