CVE-2026-26304
published 2026-03-16CVE-2026-26304: Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2 fail to verify run_create permission for empty playbookId, which allows team members to create…
medium4.3CVSS 3.1
AVNACLPRLUINSUCNILAN
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2 fail to verify run_create permission for empty playbookId, which allows team members to create unauthorized runs via the playbook run API. Mattermost Advisory ID: MMSA-2025-00542
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | mattermost_mattermost-plugin-playbooks | >= 0 < 1.41.1-0.20260316224925-705f54a81841 | 1.41.1-0.20260316224925-705f54a81841 |
| mattermost | mattermost | 11.2.0 – 11.2.2 | — |
| mattermost | mattermost | 11.3.0 – 11.3.0 | — |
| mattermost | mattermost_server | >= 11.2.0 < 11.2.3 | 11.2.3 |
| mattermost | mattermost_server | >= 11.3.0 < 11.3.1 | 11.3.1 |