Description
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2 fail to verify run_create permission for empty playbookId, which allows team members to create unauthorized runs via the playbook run API. Mattermost Advisory ID: MMSA-2025-00542
Published: 2026-03-16
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Playbook Run Creation
Action: Apply Patch
AI Analysis

Impact

Mattermost servers version 11.3.x up to 11.3.0 and 11.2.x up to 11.2.2 contain a missing access control flaw. The system incorrectly accepts a run_create request with an empty playbookId, allowing authenticated users to create playbook runs they are not authorized to initiate. This flaw permits arbitrary execution of playbook workflows and can lead to undesired or malicious actions within the application, as identified by CWE‑863.

Affected Systems

Mattermost server versions 11.3.x up to 11.3.0 and 11.2.x up to 11.2.2 are affected.

Risk and Exploitability

The CVSS score is 4.3, indicating low severity. The EPSS score is less than 1%, showing a very low probability of current exploitation, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated API access within a team, suggesting the attack vector is internal or requires compromised credentials. Although the risk appears low, the flaw allows unauthorized execution of playbook runs, potentially compromising application integrity.

Generated by OpenCVE AI on March 18, 2026 at 15:26 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.4.0, 11.3.1, 11.2.3 or higher.

OpenCVE Recommended Actions

  • Apply the recommended Mattermost updates to versions 11.4.0, 11.3.1, 11.2.3 or higher.
  • If immediate patching is not possible, restrict API access to the playbook run endpoint or block calls with an empty playbookId.

Generated by OpenCVE AI on March 18, 2026 at 15:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4pmx-622h-x359 Mattermost fails to verify run_create permission for empty playbookId
References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Wed, 18 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost mattermost Server
CPEs cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
Vendors & Products Mattermost mattermost Server

Tue, 17 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Mon, 16 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2 fail to verify run_create permission for empty playbookId, which allows team members to create unauthorized runs via the playbook run API. Mattermost Advisory ID: MMSA-2025-00542
Title Permission Bypass in Playbook Run Creation
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Mattermost Mattermost Mattermost Server
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-03-17T13:38:03.996Z

Reserved: 2026-02-13T10:43:14.474Z

Link: CVE-2026-26304

cve-icon Vulnrichment

Updated: 2026-03-17T13:38:00.683Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T20:16:17.730

Modified: 2026-03-18T13:56:31.340

Link: CVE-2026-26304

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:49:50Z

Weaknesses