Mattermost Team Creation Flaw Allows Unauthorized Settings Changes
CVE-2026-6689
4.3MEDIUM
What is CVE-2026-6689?
Mattermost versions prior to the specified patches do not properly enforce the PermissionInviteUser check during team creation, which can allow an authenticated user without the necessary permissions to modify invite-related team settings. Specifically, users with the PermissionCreateTeam can unintentionally open team membership to the public or restrict it by domain, leading to potential unauthorized access to sensitive team resources.
Affected Version(s)
Mattermost 11.6.0 <= 11.6.1
Mattermost 11.5.0 <= 11.5.4
Mattermost 10.11.0 <= 10.11.15