CVE-2026-26304

MEDIUM

Permission Bypass in Playbook Run Creation

Title source: cna

Description

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2 fail to verify run_create permission for empty playbookId, which allows team members to create unauthorized runs via the playbook run API. Mattermost Advisory ID: MMSA-2025-00542

References (1)

[Vendor Advisory] https://mattermost.com/security-updates

Scores

CVSS v3 4.3

EPSS 0.0003

EPSS Percentile 8.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Details

CWE

CWE-863

Status published

Products (7)

Mattermost/Mattermost 11.2.0 - 11.2.2

Mattermost/Mattermost 11.2.3

Mattermost/Mattermost 11.3.0

Mattermost/Mattermost 11.3.1

Mattermost/Mattermost 11.4.0

mattermost/mattermost-plugin-playbooks 0 - 1.41.1-0.20260316224925-705f54a81841Go

mattermost/mattermost_server 11.2.0 - 11.2.3

Published Mar 16, 2026

Tracked Since Mar 17, 2026