Description
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to require system-level permission when patching protected default system roles, which allows authenticated users with delegated user-management permissions to escalate privileges by altering built-in role permissions via the role patch API.. Mattermost Advisory ID: MMSA-2026-00656
Published: 2026-06-12
Score: 6.7 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mattermost versions 11.6.x up to 11.6.1, 11.5.x up to 11.5.4, and 10.11.x up to 10.11.16 fail to require a system‑level permission when patching protected default system roles. The missing check allows authenticated users who possess delegated user‑management permissions to use the role patch API to alter built‑in role permissions, effectively elevating their privileges within the system.

Affected Systems

The vulnerability affects Mattermost and applies to the following product releases: 11.6.0 through 11.6.1, 11.5.0 through 11.5.4, and 10.11.0 through 10.11.16. Updating to any version 11.7.0, 11.6.2, 11.5.5, 10.11.16, 10.11.17 or later removes the flaw.

Risk and Exploitability

The CVSS score of 6.7 indicates a medium‑high severity threat. Exploitation requires an authenticated user with delegated user‑management rights; the attacker can immediately invoke the role patch API to modify protected roles. EPSS data is not available, but the existence of a public advisory suggests the flaw is likely to be exploited. The vulnerability is not currently listed as a known exploited vulnerability (KEV).

Generated by OpenCVE AI on June 12, 2026 at 18:23 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.7.0, 11.6.2, 11.5.5, 10.11.16, 10.11.17 or higher.

OpenCVE Recommended Actions

  • Upgrade Mattermost to one of the fixed releases (11.7.0, 11.6.2, 11.5.5, 10.11.16, 10.11.17 or later).
  • Revoke delegated user‑management permissions for all users until the patch is applied.
  • Restrict the role patch API so that only accounts with system‑level permissions can use it.

Generated by OpenCVE AI on June 12, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Fri, 12 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Fri, 12 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to require system-level permission when patching protected default system roles, which allows authenticated users with delegated user-management permissions to escalate privileges by altering built-in role permissions via the role patch API.. Mattermost Advisory ID: MMSA-2026-00656
Title Mattermost: Delegated admins could patch protected default system roles
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-06-13T03:56:06.666Z

Reserved: 2026-04-21T08:47:06.795Z

Link: CVE-2026-6739

cve-icon Vulnrichment

Updated: 2026-06-12T17:19:28.401Z

cve-icon NVD

Status : Received

Published: 2026-06-12T17:16:27.290

Modified: 2026-06-12T17:16:27.290

Link: CVE-2026-6739

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T18:30:32Z

Weaknesses