Description
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to check if {{team_id}} was being changed when updating playbooks, allowing users with only {{Manage Playbook Configurations}} permission to change a playbook's team, bypassing manage members restriction via PUT api. Mattermost Advisory ID: MMSA-2025-00552
Published: 2026-05-18
Score: 3.1 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in Mattermost's playbooks plugin, where playbook updates do not validate changes to the team identifier. Because of this validation gap, a user possessing only the Manage Playbook Configurations permission can modify the team attached to a playbook and, through the standard PUT API, effectively remove or add members from that team without proper authorization. This flaw is categorized as a Cumulative Authorization Problem (CWE‑863) and can lead to unauthorized removal of member access or alteration of playbook scope.

Affected Systems

Affected are Mattermost server releases 11.5.x through 11.5.1 and 10.11.x through 10.11.13. Administrators should check installed versions and ensure they are not within the vulnerable range. Versions 11.6.0, 11.5.2, and 10.11.14 and later contain the fix.

Risk and Exploitability

The CVSS score of 3.1 indicates low overall severity, but the flaw is still exploitable for users who can obtain Manage Playbook Configurations rights, which may exist in large organizations. With no EPSS data and no KEV listing, the likelihood of public exploitation remains unclear, yet the attack would proceed by sending an authenticated PUT request to the playbook endpoint while supplying a new team ID. Therefore the risk is primarily internal and mitigated by immediate patching and strict permission controls.

Generated by OpenCVE AI on May 18, 2026 at 10:25 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.6.0, 11.5.2, 10.11.14 or higher.

OpenCVE Recommended Actions

  • Apply the CNA‑specified patch to upgrade Mattermost to at least 11.6.0, 11.5.2, or 10.11.14
  • Re‑audit playbook team assignments and remove any unauthorized team changes
  • Enforce least privilege on the Manage Playbook Configurations role to limit who can alter playbook teams

Generated by OpenCVE AI on May 18, 2026 at 10:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Mon, 18 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Mon, 18 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to check if {{team_id}} was being changed when updating playbooks, allowing users with only {{Manage Playbook Configurations}} permission to change a playbook's team, bypassing manage members restriction via PUT api. Mattermost Advisory ID: MMSA-2025-00552
Title Playbooks Plugin fails to validate team transfers, allowing unauthorized removal of member access via playbook update
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-05-18T08:07:06.829Z

Reserved: 2026-03-16T16:29:41.559Z

Link: CVE-2026-4286

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-18T09:16:22.990

Modified: 2026-05-18T09:16:22.990

Link: CVE-2026-4286

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T11:30:23Z

Weaknesses