Mattermost Team Creation Flaw Allows Unauthorized Settings Changes
CVE-2026-6689

4.3MEDIUM

Key Information:

Vendor

Mattermost

Vendor
CVE Published:
12 June 2026

What is CVE-2026-6689?

Mattermost versions prior to the specified patches do not properly enforce the PermissionInviteUser check during team creation, which can allow an authenticated user without the necessary permissions to modify invite-related team settings. Specifically, users with the PermissionCreateTeam can unintentionally open team membership to the public or restrict it by domain, leading to potential unauthorized access to sensitive team resources.

Affected Version(s)

Mattermost 11.6.0 <= 11.6.1

Mattermost 11.5.0 <= 11.5.4

Mattermost 10.11.0 <= 10.11.15

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

0x7oda7123
.