Description
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Fail to enforce PermissionInviteUser when setting AllowOpenInvite or AllowedDomains during team creation (the check was only applied on update/patch), which allows an authenticated user holding PermissionCreateTeam but not PermissionInviteUser on the resulting team to configure invite-controlled team settings (make the team publicly joinable via open invite and/or constrain membership via allowed domains) that they are not permitted to set on an existing team via POST /api/v4/teams with allow_open_invite: true and/or a non-empty allowed_domains in the request body.. Mattermost Advisory ID: MMSA-2026-00655
Published: 2026-06-12
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authentication check that should ensure a user possesses the PermissionInviteUser authority is omitted when a team is created with AllowOpenInvite or AllowedDomains enabled. Consequently, an authenticated user who can create a team but does not hold invitation‑management privileges can configure the new team as publicly joinable or restrict it to specific domains. This empowerment permits the user to effectively alter the team’s access controls beyond their granted rights, potentially exposing sensitive channels or undermining security boundaries. The flaw is a missing authorization check (CWE‑862).

Affected Systems

Mattermost users running older releases are affected. The vulnerability exists in Mattermost community and enterprise editions for the following ranges: version 11.6.0 – 11.6.1, 11.5.0 – 11.5.4, 10.11.0 – 10.11.15 and 10.11.0 – 10.11.16. Any deployment that has not applied the latest patch releases is therefore susceptible.

Risk and Exploitability

The CVSS score of 4.3 classifies this as a moderate severity issue. Exploitation requires the attacker to be an authenticated user with PermissionCreateTeam; no additional privileges or network exposure are needed. Because the EPSS score is not available, it cannot be used to gauge likelihood, and the vulnerability is not listed in CISA’s KEV catalog. Attackers can gain unauthorized configuration power via standard API calls or web UI when creating a new team. The risk is limited to privilege escalation within the Mattermost instance, but it can enable broader lateral movement if unrestricted team invites are enabled.

Generated by OpenCVE AI on June 12, 2026 at 18:23 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.7.0, 11.6.2, 11.5.5, 10.11.16, 10.11.17 or higher.

OpenCVE Recommended Actions

  • Upgrade Mattermost to any supported version that contains the patch, such as 11.7.0 or higher, 11.6.2 or higher, 11.5.5 or higher, 10.11.16 or higher, or 10.11.17 or higher.
  • Configure the team‑creation process or use an auxiliary script to reject payloads that include AllowOpenInvite set to true or a non‑empty AllowedDomains field, ensuring that only users with PermissionInviteUser can specify these settings.
  • Audit all existing teams that were created by users lacking PermissionInviteUser for unintended open‑invite or domain restrictions, and reset the configuration where necessary.

Generated by OpenCVE AI on June 12, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Fri, 12 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Fri, 12 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Fail to enforce PermissionInviteUser when setting AllowOpenInvite or AllowedDomains during team creation (the check was only applied on update/patch), which allows an authenticated user holding PermissionCreateTeam but not PermissionInviteUser on the resulting team to configure invite-controlled team settings (make the team publicly joinable via open invite and/or constrain membership via allowed domains) that they are not permitted to set on an existing team via POST /api/v4/teams with allow_open_invite: true and/or a non-empty allowed_domains in the request body.. Mattermost Advisory ID: MMSA-2026-00655
Title *Missing* {{invite_user}} *permission check on team creation allows unprivileged users to set open-invite and allowed-domains team settings*
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-06-12T17:18:52.426Z

Reserved: 2026-04-20T15:19:13.503Z

Link: CVE-2026-6689

cve-icon Vulnrichment

Updated: 2026-06-12T17:18:48.982Z

cve-icon NVD

Status : Received

Published: 2026-06-12T17:16:27.180

Modified: 2026-06-12T17:16:27.180

Link: CVE-2026-6689

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T18:30:32Z

Weaknesses