CVE-2026-26304 PUBLISHED

Permission Bypass in Playbook Run Creation

Assigner: Mattermost
Reserved: 13.02.2026 Published: 16.03.2026 Updated: 17.03.2026

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2 fail to verify run_create permission for empty playbookId, which allows team members to create unauthorized runs via the playbook run API. Mattermost Advisory ID: MMSA-2025-00542

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVSS Score: 4.3

Product Status

Vendor Mattermost
Product Mattermost
Versions Default: unaffected
  • affected from 11.3.0 to 11.3.0 (incl.)
  • affected from 11.2.0 to 11.2.2 (incl.)
  • Version 11.4.0 is unaffected
  • Version 11.3.1 is unaffected
  • Version 11.2.3 is unaffected

Solutions

Update Mattermost to versions 11.4.0, 11.3.1, 11.2.3 or higher.

Credits

  • 0x7oda7123 finder

References

Problem Types

  • CWE-863: Incorrect Authorization CWE