CVE-2026-26304 — Incorrect Authorization in Mattermost Mattermost-plugin-playbooks

CWE-863 — Incorrect Authorization6 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.0%

top 91.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-plugin-playbooks Mattermost Server Mattermost

Timeline

PublishedMar 16

Latest updateMar 23

Description

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2 fail to verify run_create permission for empty playbookId, which allows team members to create unauthorized runs via the playbook run API. Mattermost Advisory ID: MMSA-2025-00542

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶Gogithub.com/mattermost_mattermost-plugin-playbooks< 1.41.1-0.20260316224925-705f54a81841

▶NVDmattermost/mattermost_server11.2.0 — 11.2.3+1

▶CVEListV5mattermost/mattermost11.3.0 — 11.3.0+1

🔴Vulnerability Details

OSV

Mattermost fails to verify run_create permission for empty playbookId in github.com/mattermost/mattermost-plugin-playbooks↗2026-03-23

▶

OSV

Mattermost fails to verify run_create permission for empty playbookId↗2026-03-16

▶

CVEList

Permission Bypass in Playbook Run Creation↗2026-03-16

▶

GHSA

Mattermost fails to verify run_create permission for empty playbookId↗2026-03-16

▶

🕵️Threat Intelligence

Wiz

CVE-2026-26304 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶