Access Control Weakness in Mattermost Playbook Metric Configuration
CVE-2026-6541

4.3MEDIUM

Key Information:

Vendor

Mattermost

Vendor
CVE Published:
13 July 2026

What is CVE-2026-6541?

In certain versions of Mattermost, an access control vulnerability exists that allows authenticated users with team access to modify the metric settings of other users’ playbooks. This flaw arises when importing or updating a playbook with a foreign metric ID, bypassing intended restrictions for playbook metric configuration changes. Affected versions include Mattermost 11.7.x up to 11.7.1, 11.6.x up to 11.6.4, and 10.11.x up to 10.11.19, as detailed in the Mattermost security advisory.

Affected Version(s)

Mattermost 11.7.0 <= 11.7.1

Mattermost 11.6.0 <= 11.6.4

Mattermost 10.11.0 <= 10.11.19

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

hfreak_s
.