CVE-2026-6689

EUVD-2026-36501

12.06.2026, 17:16

Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Fail to enforce PermissionInviteUser when setting AllowOpenInvite or AllowedDomains during team creation (the check was only applied on update/patch), which allows an authenticated user holding PermissionCreateTeam but not PermissionInviteUser on the resulting team to configure invite-controlled team settings (make the team publicly joinable via open invite and/or constrain membership via allowed domains) that they are not permitted to set on an existing team via POST /api/v4/teams with allow_open_invite: true and/or a non-empty allowed_domains in the request body.. Mattermost Advisory ID: MMSA-2026-00655

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
Mattermost	CNA	4.3 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
mattermost	mattermost	11.6.0 ≤ 𝑥 ≤ 11.6.1	CNA
mattermost	mattermost	11.5.0 ≤ 𝑥 ≤ 11.5.4	CNA
mattermost	mattermost	10.11.0 ≤ 𝑥 ≤ 10.11.15	CNA
mattermost	mattermost	10.11.0 ≤ 𝑥 ≤ 10.11.16	CNA

Common Weakness Enumeration

CWE-862 - Missing Authorization
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

References

https://mattermost.com/security-updates