Description
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check public/private permissions which allows members without these permissions to access public playbooks via /get.. Mattermost Advisory ID: MMSA-2026-00591
Published: 2026-05-18
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Mattermost Playbooks plugin, in affected Mattermost server versions, fails to verify whether a requesting user has permission to view public playbooks. The plugin returns a list of public playbooks through its /get endpoints without checking the caller’s role or the playbook’s privacy setting. As a result, any user who can reach these endpoints can read the contents of public playbooks that normal access controls would restrict. The weakness maps to CWE-863, Missing Authorization.

Affected Systems

Mattermost. The issue exists in server versions 11.5.0 through 11.5.1, 10.11.0 through 10.11.13, and 11.4.0 through 11.4.3. Users running any of these releases are vulnerable unless the Playbooks plugin is removed or the server is upgraded.

Risk and Exploitability

The vulnerability is an authentication/authorization flaw that can be triggered by accessing the plugin’s list endpoints over the network. For an attacker who can reach these endpoints— which could be anyone who has network access to the Mattermost instance— the exploit allows read access to private or public playbooks that should be protected. The EPSS score is unavailable, and the vulnerability is not yet listed in CISA KEV. Given the CVSS of 4.3, the risk is moderate but not critical. Attackers do not need elevated privileges; local or remote access suffices. As it requires only the ability to contact the endpoint, rapid exploitation is possible if the plugin remains unpatched.

Generated by OpenCVE AI on May 18, 2026 at 10:23 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.6.0, 11.5.2, 10.11.14, 11.4.4 or higher.

OpenCVE Recommended Actions

  • Upgrade Mattermost to any fixed release: 11.6.0, 11.5.2, 10.11.14, or 11.4.4 or later, as specified by the advisory.
  • After upgrading, confirm that the Playbooks plugin’s /get endpoints return results only to users with appropriate view permissions.
  • If an immediate upgrade is not possible, temporarily disable the Playbooks plugin until a patched version is installed.
  • Apply role‑based access controls to restrict who can invoke the Playbooks plugin endpoints, limiting exposure while a permanent fix is pending.

Generated by OpenCVE AI on May 18, 2026 at 10:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Mon, 18 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Mon, 18 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check public/private permissions which allows members without these permissions to access public playbooks via /get.. Mattermost Advisory ID: MMSA-2026-00591
Title Mattermost Playbooks Plugin fails to enforce view permissions in list endpoints, allowing unauthorized access to public playbooks
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-05-18T08:32:28.121Z

Reserved: 2026-04-15T10:41:22.511Z

Link: CVE-2026-6343

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-18T09:16:23.713

Modified: 2026-05-18T09:16:23.713

Link: CVE-2026-6343

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T10:30:23Z

Weaknesses