Github.Com Mattermost Mattermost-Plugin-Playbooks vulnerabilities

CVE-2026-26304 [MEDIUM] CWE-863 Mattermost fails to verify run_create permission for empty playbookId Mattermost fails to verify run_create permission for empty playbookId Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2 fail to verify run_create permission for empty playbookId, which allows team members to create unauthorized runs via the playbook run API. Mattermost Advisory ID: MMSA-2025-00542

CVE-2025-35965 [MEDIUM] CWE-770 Mattermost Playbooks fails to validate the uniqueness and quantity of task actions Mattermost Playbooks fails to validate the uniqueness and quantity of task actions Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation, which allows an attacker to create task items containing an excessive number of actions triggered by specific posts

CVE-2025-41395 [MEDIUM] CWE-1287 Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate the props used by the RetrospectivePost custom post type in the Playbooks plugin, which allows an attacker to create a specially crafted post with malicious

CVE-2025-41423 [LOW] CWE-863 Mattermost Playbooks fails to properly validate permissions Mattermost Playbooks fails to properly validate permissions Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate permissions for the API endpoint /plugins/playbooks/api/v0/signal/keywords/ignore-thread, allowing any user or attacker to delete posts containing actions created by the Playbooks bot, even without channel access or appropriate permissions.