Access Control Weakness in Mattermost Playbook Metric Configuration
CVE-2026-6541
4.3MEDIUM
What is CVE-2026-6541?
In certain versions of Mattermost, an access control vulnerability exists that allows authenticated users with team access to modify the metric settings of other users’ playbooks. This flaw arises when importing or updating a playbook with a foreign metric ID, bypassing intended restrictions for playbook metric configuration changes. Affected versions include Mattermost 11.7.x up to 11.7.1, 11.6.x up to 11.6.4, and 10.11.x up to 10.11.19, as detailed in the Mattermost security advisory.
Affected Version(s)
Mattermost 11.7.0 <= 11.7.1
Mattermost 11.6.0 <= 11.6.4
Mattermost 10.11.0 <= 10.11.19