CVE-2026-6739

CVSS v3.1

6.7

Medium

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to require system-level permission when patching protected default system roles, which allows authenticated users with delegated user-management permissions to escalate privileges by altering built-in role permissions via the role patch API.. Mattermost Advisory ID: MMSA-2026-00656

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

CVE-2026-6739

Affected Products

Mattermost

CVE-2026-6739

Weakness Enumeration

Related Identifiers

Affected Products

References · 2