Description
Mattermost versions 11.7.x <= 11.7.1, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to restrict metric configuration changes to the playbook being saved, which allows an authenticated user with team access to alter another user’s playbook metric settings via a crafted import or update request with a foreign metric ID. Mattermost Advisory ID: MMSA-2026-00653
Analysis and contextual insights are available on OpenCVE Cloud.
Remediation
Vendor Solution
Update Mattermost to versions 11.8.0, 11.7.2, 11.6.5, 10.11.20 or higher.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
| Link | Providers |
|---|---|
| https://mattermost.com/security-updates |
|
History
Mon, 13 Jul 2026 11:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Mattermost versions 11.7.x <= 11.7.1, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to restrict metric configuration changes to the playbook being saved, which allows an authenticated user with team access to alter another user’s playbook metric settings via a crafted import or update request with a foreign metric ID. Mattermost Advisory ID: MMSA-2026-00653 | |
| Title | Unscoped updates to other playbooks' metric configuration | |
| Weaknesses | CWE-639 | |
| References |
| |
| Metrics |
cvssV3_1
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: Mattermost
Published:
Updated: 2026-07-13T10:53:15.958Z
Reserved: 2026-04-17T17:54:44.831Z
Link: CVE-2026-6541
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses