CVE-2026-6689 Mattermost CVE debrief

Who should care

Administrators and users of Mattermost instances, particularly those with custom permission settings, should be aware of this vulnerability and take necessary actions to mitigate it.

Technical summary

The vulnerability occurs because Mattermost fails to enforce PermissionInviteUser when setting AllowOpenInvite or AllowedDomains during team creation. This check was only applied on update/patch operations. An authenticated user with PermissionCreateTeam but not PermissionInviteUser can create a team with settings that they are not permitted to set on an existing team via POST /api/v4/teams with allow_open_invite: true and/or a non-empty allowed_domains in the request body.

Defensive priority

Medium

Recommended defensive actions

• Apply the patches or updates provided by Mattermost to address this vulnerability.
• Review and adjust team creation and permission settings to ensure that users can only configure settings they are permitted to change.
• Monitor team creation and configuration activities for potential abuse.

Evidence notes

The CVE was published on 2026-06-12 with a CVSS score of 4.3 and a medium severity rating. The vulnerability affects Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, and 10.11.x <= 10.11.16.

Official resources