Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

CVE-2026-6689— *Missing* {{invite_user}} *permission check on team creation allows unprivileged users to set open-invite and allowed-domains team settings*

CVSS 4.3 · Medium EPSS 0.15% · P5

Affected Version Matrix 9

VendorProductVersion RangeStatus
MattermostMattermost11.6.0≤ 11.6.1affected
11.5.0≤ 11.5.4affected
10.11.0≤ 10.11.15affected
10.11.0≤ 10.11.16affected
11.7.0unaffected
11.6.2unaffected
11.5.5unaffected
10.11.16unaffected
… +1 more rows
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-6689

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
*Missing* {{invite_user}} *permission check on team creation allows unprivileged users to set open-invite and allowed-domains team settings*
Source: NVD (National Vulnerability Database)
Vulnerability Description
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Fail to enforce PermissionInviteUser when setting AllowOpenInvite or AllowedDomains during team creation (the check was only applied on update/patch), which allows an authenticated user holding PermissionCreateTeam but not PermissionInviteUser on the resulting team to configure invite-controlled team settings (make the team publicly joinable via open invite and/or constrain membership via allowed domains) that they are not permitted to set on an existing team via POST /api/v4/teams with allow_open_invite: true and/or a non-empty allowed_domains in the request body.. Mattermost Advisory ID: MMSA-2026-00655
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制缺失
Source: NVD (National Vulnerability Database)
Vulnerability Title
Mattermost 授权问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Mattermost是美国Mattermost公司开源的一个开源协作平台。 Mattermost存在授权问题漏洞,该漏洞源于未在团队创建时强制实施PermissionInviteUser检查(仅在更新/补丁时应用),允许拥有PermissionCreateTeam但不拥有PermissionInviteUser的认证用户在创建的团队上配置开放邀请或允许域等设置。以下版本受到影响:11.6.1及之前的11.6.x版本、11.5.4及之前的11.5.x版本、10.11.15及之前的10.11.x版本和10.1
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
MattermostMattermost 11.6.0 ~ 11.6.1 -

II. Public POCs for CVE-2026-6689

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-6689

登录查看更多情报信息。

Same Patch Batch · Mattermost · 2026-06-12 · 7 CVEs total

CVE-2026-73878.8 HIGHMattermost group syncable endpoints allow privilege escalation via scheme_admin
CVE-2026-69617.6 HIGHCVE-2026-6961: Path traversal via unsanitized FileInfo.Name in Mattermost federation sync
CVE-2026-67396.7 MEDIUMMattermost: Delegated admins could patch protected default system roles
CVE-2026-71846.5 MEDIUMMattermost Remote Cluster PATCH API Leaks Authentication Tokens
CVE-2026-60465.3 MEDIUMPlugin bot username conflict allows user account to be used as bot identity in Mattermost
CVE-2026-34334.3 MEDIUMMattermost fails to scope role_updated websocket events to authorized team and channel mem

IV. Related Vulnerabilities

Same product: Mattermost
Same vendor: Mattermost
Same weakness: CWE-862

V. Comments for CVE-2026-6689

No comments yet

Leave a comment