VYPR
Moderate severityNVD Advisory· Published Mar 16, 2026· Updated Mar 17, 2026

Permission Bypass in Playbook Run Creation

CVE-2026-26304

Description

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2 fail to verify run_create permission for empty playbookId, which allows team members to create unauthorized runs via the playbook run API. Mattermost Advisory ID: MMSA-2025-00542

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/mattermost/mattermost-plugin-playbooksGo
< 1.41.1-0.20260316224925-705f54a818411.41.1-0.20260316224925-705f54a81841

Affected products

3

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.