Moderate severityNVD Advisory· Published Mar 16, 2026· Updated Mar 17, 2026
Permission Bypass in Playbook Run Creation
CVE-2026-26304
Description
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2 fail to verify run_create permission for empty playbookId, which allows team members to create unauthorized runs via the playbook run API. Mattermost Advisory ID: MMSA-2025-00542
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost-plugin-playbooksGo | < 1.41.1-0.20260316224925-705f54a81841 | 1.41.1-0.20260316224925-705f54a81841 |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/mattermost/mattermost-plugin-playbookspkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 1.41.1-0.20260316224925-705f54a81841+ 1 more
- (no CPE)range: < 1.41.1-0.20260316224925-705f54a81841
- (no CPE)range: < 0.0.20260326T203309-150000.1.155.2
- Range: 11.3.0
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-4pmx-622h-x359ghsaADVISORY
- mattermost.com/security-updatesghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-26304ghsaADVISORY
- github.com/mattermost/mattermost-plugin-playbooks/commit/705f54a818410f3612df3865bfde608ed471037eghsaWEB
News mentions
0No linked articles in our index yet.