Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-6689

CVE-2026-6689: Mattermost Server Auth Bypass Vulnerability

CVE-2026-6689 is an authentication bypass vulnerability in Mattermost Server that allows users to configure restricted team settings during creation. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-6689 Overview

CVE-2026-6689 is a missing authorization vulnerability [CWE-862] in Mattermost Server. The flaw exists in the team creation workflow exposed through POST /api/v4/teams. Mattermost fails to enforce the PermissionInviteUser check when an authenticated user sets AllowOpenInvite or AllowedDomains during team creation. The check is only applied on update or patch operations, leaving a gap during initial creation. An authenticated user holding PermissionCreateTeam, but lacking PermissionInviteUser, can configure invite-controlled settings they should not be able to set. This includes making teams publicly joinable or constraining membership through allowed domains.

Critical Impact

Authenticated users without invite permissions can create teams with open-invite enabled or domain-restricted membership, bypassing intended access controls and potentially exposing organizational team structures.

Affected Products

  • Mattermost Server 11.6.x through 11.6.1
  • Mattermost Server 11.5.x through 11.5.4
  • Mattermost Server 10.11.x through 10.11.16

Discovery Timeline

  • 2026-06-12 - CVE-2026-6689 published to NVD
  • 2026-06-18 - Last updated in NVD database

Technical Details for CVE-2026-6689

Vulnerability Analysis

The vulnerability is tracked as Mattermost Advisory MMSA-2026-00655. It is classified as a missing authorization issue [CWE-862]. The defect lies in inconsistent permission enforcement across team lifecycle operations. Mattermost correctly validates PermissionInviteUser when a user attempts to modify AllowOpenInvite or AllowedDomains via update or patch endpoints. However, the same validation is absent during team creation through POST /api/v4/teams. An attacker authenticated to the server can submit a creation request with allow_open_invite: true and a non-empty allowed_domains value in the JSON body. The server accepts these fields and persists the configuration without verifying that the caller holds PermissionInviteUser.

Root Cause

The root cause is incomplete permission check coverage. Authorization logic for invite-controlled fields was applied only to the update and patch handlers. The create handler accepts the same fields but skips the equivalent check. This is a classic broken access control pattern where parallel code paths apply differing authorization rules to the same resource attributes.

Attack Vector

Exploitation requires network access and authenticated low-privileged access. An attacker needs a valid Mattermost account with PermissionCreateTeam, which is commonly granted to standard users by default. The attacker issues a single POST /api/v4/teams request containing the privileged fields. No user interaction is required. The result is a team configured with settings the attacker would otherwise be unable to apply, allowing public discovery or domain-scoped membership manipulation.

No verified public proof-of-concept code is available. See the Mattermost Security Updates advisory for additional technical context.

Detection Methods for CVE-2026-6689

Indicators of Compromise

  • Audit log entries showing team creation events with allow_open_invite set to true by users not holding PermissionInviteUser.
  • Team records containing populated allowed_domains values created by accounts without elevated team permissions.
  • Sudden growth in publicly joinable teams created from standard user accounts.

Detection Strategies

  • Query Mattermost audit logs for POST /api/v4/teams requests where the request body contains allow_open_invite: true or a non-empty allowed_domains.
  • Cross-reference team creator identities against the role assignments to identify users lacking PermissionInviteUser who set invite-controlled fields.
  • Establish a baseline of legitimate team creation activity and alert on deviations involving privileged field values.

Monitoring Recommendations

  • Forward Mattermost server access and audit logs to a centralized logging platform for retention and analysis.
  • Monitor administrative endpoints for unexpected privilege boundary crossings between team creation and team update operations.
  • Review team configuration drift weekly to identify teams configured outside expected organizational policy.

How to Mitigate CVE-2026-6689

Immediate Actions Required

  • Upgrade Mattermost Server to a fixed release listed in the vendor advisory MMSA-2026-00655.
  • Audit existing teams for unexpected AllowOpenInvite or AllowedDomains values created since the affected versions were deployed.
  • Restrict PermissionCreateTeam to trusted roles in environments where immediate patching is not possible.

Patch Information

Mattermost has issued fixed releases addressing the missing authorization check during team creation. Administrators should consult the Mattermost Security Updates page for the specific patched version applicable to their deployment branch and apply updates promptly.

Workarounds

  • Remove PermissionCreateTeam from default user roles until the patch is applied.
  • Periodically reset AllowOpenInvite to false on teams created by users without PermissionInviteUser.
  • Enforce domain allow-listing centrally through administrative policy rather than relying on team-level settings.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne