CVE-2026-4055
Description
Mattermost versions 11.5.x <= 11.5.1 fail to validate team-level run_create permission against the target team when creating a playbook run which allows an authenticated team member to create runs in teams where they lack permission via specifying a different team ID in the run creation API request. Mattermost Advisory ID: MMSA-2026-00629
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mattermost 11.5.0 and 11.5.1 allow authenticated users to create playbook runs in teams where they lack run_create permission by manipulating the team ID in the API request.
Vulnerability
Mattermost versions 11.5.0 and 11.5.1 fail to validate team-level run_create permission against the target team when creating a playbook run via the API. An authenticated team member can specify a different team ID in the run creation request, bypassing permission checks. This affects the playbook run creation endpoint. [1]
Exploitation
An attacker must be an authenticated user with membership in at least one team. They can craft a POST request to the run creation API, providing a team_id parameter that corresponds to a team where they lack run_create permission. The server does not verify that the user has the required permission for the specified team, allowing the run to be created in that team.
Impact
An authenticated attacker can create playbook runs in teams where they do not have the run_create permission. This could lead to unauthorized use of playbook resources, potential disruption, or information disclosure depending on the playbook configuration. The attacker gains the ability to execute playbook runs in restricted teams.
Mitigation
Mattermost has not yet released a fixed version as of the publication date (2026-05-21). Users should monitor the Mattermost security updates page [1] for patches. As a workaround, administrators can restrict API access or review team permissions. No KEV listing is known.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: >=11.5.0,<=11.5.1
- Range: >= 11.5.0, <= 11.5.1
Patches
161edcdbfcc80[MM-67626] Update Playbooks plugin to v2.8.0 (#35549) (#35588)
1 file changed · +2 −2
server/Makefile+2 −2 modified@@ -158,7 +158,7 @@ PLUGIN_PACKAGES += mattermost-plugin-calls-v1.11.4 PLUGIN_PACKAGES += mattermost-plugin-github-v2.6.0 PLUGIN_PACKAGES += mattermost-plugin-gitlab-v1.12.0 PLUGIN_PACKAGES += mattermost-plugin-jira-v4.5.1 -PLUGIN_PACKAGES += mattermost-plugin-playbooks-v2.7.0 +PLUGIN_PACKAGES += mattermost-plugin-playbooks-v2.8.0 PLUGIN_PACKAGES += mattermost-plugin-servicenow-v2.4.0 PLUGIN_PACKAGES += mattermost-plugin-zoom-v1.12.0 PLUGIN_PACKAGES += mattermost-plugin-agents-v1.7.2 @@ -174,7 +174,7 @@ PLUGIN_PACKAGES += mattermost-plugin-channel-export-v1.3.0 # download the package from to work. This will no longer be needed when we unify # the way we pre-package FIPS and non-FIPS plugins. ifeq ($(FIPS_ENABLED),true) - PLUGIN_PACKAGES = mattermost-plugin-playbooks-v2.7.0%2B1031c5e-fips + PLUGIN_PACKAGES = mattermost-plugin-playbooks-v2.8.0%2Bc4449ac-fips PLUGIN_PACKAGES += mattermost-plugin-agents-v1.7.2%2B866e2dd-fips PLUGIN_PACKAGES += mattermost-plugin-boards-v9.2.2%2B4282c63-fips endif
Vulnerability mechanics
Root cause
"Missing server-side authorization check allows an authenticated user to specify a different team ID in the playbook run creation API request, bypassing the team-level run_create permission check."
Attack vector
An authenticated Mattermost user who is a member of at least one team can craft a playbook run creation API request with a team_id parameter pointing to a different team where they lack the run_create permission. The server fails to validate that the user holds the required team-level permission for the target team [CWE-863]. The attack is performed over the network with no special privileges beyond a valid session, and the payload is simply a modified JSON field in the API call.
Affected code
The vulnerability exists in the Playbooks plugin bundled with Mattermost. The patch updates the plugin from version 2.7.0 to 2.8.0 in the server/Makefile [patch_id=1158534]. The advisory does not specify the exact function or file path within the plugin where the missing authorization check occurs.
What the fix does
The patch updates the Playbooks plugin from version 2.7.0 to 2.8.0 [patch_id=1158534]. While the advisory does not detail the exact code change within the plugin, the version bump indicates that the playbook run creation endpoint was corrected to validate the run_create permission against the team specified in the request rather than the requester's default team. This closes the authorization bypass by ensuring the permission check uses the target team ID provided by the user.
Preconditions
- authAttacker must be an authenticated Mattermost user with a valid session.
- authAttacker must be a member of at least one team (to have access to the playbook run creation API).
- configThe target team must have playbook runs enabled and the attacker must know the target team ID.
Generated on May 21, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.