DescriptionBlueWave Checkmate versions up to and including 2.0.2, prior to commit d4a6072, contain a privilege escalation vulnerability in the invitation-based registration flow. A user can modify the invite/registration request body to supply attacker-controlled role and teamId values instead of having these attributes derived from the invitation token, allowing the creation of an account with elevated permissions (e.g., administrative roles) outside the intended authorization model.