{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26304", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2026-02-13T10:43:14.474Z", "datePublished": "2026-03-16T19:53:21.650Z", "dateUpdated": "2026-03-17T13:38:03.996Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "11.3.0", "status": "affected", "version": "11.3.0", "versionType": "semver"}, {"lessThanOrEqual": "11.2.2", "status": "affected", "version": "11.2.0", "versionType": "semver"}, {"version": "11.4.0", "status": "unaffected"}, {"version": "11.3.1", "status": "unaffected"}, {"version": "11.2.3", "status": "unaffected"}]}], "credits": [{"lang": "en", "type": "finder", "value": "0x7oda7123"}], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2 fail to verify run_create permission for empty playbookId, which allows team members to create unauthorized runs via the playbook run API. Mattermost Advisory ID: MMSA-2025-00542"}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseSeverity": "MEDIUM", "baseScore": 4.3}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-863: Incorrect Authorization", "cweId": "CWE-863"}]}], "references": [{"url": "https://mattermost.com/security-updates", "name": "MMSA-2025-00542", "tags": ["vendor-advisory"]}], "solutions": [{"value": "Update Mattermost to versions 11.4.0, 11.3.1, 11.2.3 or higher.", "lang": "en"}], "source": {"advisory": "MMSA-2025-00542", "defect": ["https://mattermost.atlassian.net/browse/MM-66248"], "discovery": "EXTERNAL"}, "title": "Permission Bypass in Playbook Run Creation", "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2026-03-16T19:53:21.650Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-17T13:37:56.844126Z", "id": "CVE-2026-26304", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T13:38:03.996Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26304", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-17T13:37:56.844126Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T13:38:00.683Z"}}], "cna": {"title": "Permission Bypass in Playbook Run Creation", "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-66248"], "advisory": "MMSA-2025-00542", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "0x7oda7123"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mattermost", "product": "Mattermost", "versions": [{"status": "affected", "version": "11.3.0", "versionType": "semver", "lessThanOrEqual": "11.3.0"}, {"status": "affected", "version": "11.2.0", "versionType": "semver", "lessThanOrEqual": "11.2.2"}, {"status": "unaffected", "version": "11.4.0"}, {"status": "unaffected", "version": "11.3.1"}, {"status": "unaffected", "version": "11.2.3"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update Mattermost to versions 11.4.0, 11.3.1, 11.2.3 or higher."}], "references": [{"url": "https://mattermost.com/security-updates", "name": "MMSA-2025-00542", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2 fail to verify run_create permission for empty playbookId, which allows team members to create unauthorized runs via the playbook run API. Mattermost Advisory ID: MMSA-2025-00542"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2026-03-16T19:53:21.650Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26304", "state": "PUBLISHED", "dateUpdated": "2026-03-17T13:38:03.996Z", "dateReserved": "2026-02-13T10:43:14.474Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2026-03-16T19:53:21.650Z", "assignerShortName": "Mattermost"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "7F64C167-943D-4F3F-9374-BCC8DECB3881", "versionEndExcluding": "11.2.3", "versionStartIncluding": "11.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "945A6E29-209F-4992-8692-BEF63DCB6B98", "versionEndExcluding": "11.3.1", "versionStartIncluding": "11.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2 fail to verify run_create permission for empty playbookId, which allows team members to create unauthorized runs via the playbook run API. Mattermost Advisory ID: MMSA-2025-00542"}], "id": "CVE-2026-26304", "lastModified": "2026-03-18T13:56:31.340", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}, "published": "2026-03-16T20:16:17.730", "references": [{"source": "responsibledisclosure@mattermost.com", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,11.3.0]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,11.2.2]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "11.4.0"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "11.3.1"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "11.2.3"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Mattermost", "source": "cna", "vendor": "Mattermost"}, "product": "mattermost", "vendor": "mattermost"}], "analysis": {"en": {"generated_at": "2026-03-18T15:26:48.791013+00:00", "value": {"mitigation_remediation": ["Apply the recommended Mattermost updates to versions 11.4.0, 11.3.1, 11.2.3 or higher.", "If immediate patching is not possible, restrict API access to the playbook run endpoint or block calls with an empty playbookId."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Playbook Run Creation"}, "threat_synthesis": {"affected_systems": "Mattermost server versions 11.3.x up to 11.3.0 and 11.2.x up to 11.2.2 are affected.", "description_and_impact": "Mattermost servers version 11.3.x up to 11.3.0 and 11.2.x up to 11.2.2 contain a missing access control flaw. The system incorrectly accepts a run_create request with an empty playbookId, allowing authenticated users to create playbook runs they are not authorized to initiate. This flaw permits arbitrary execution of playbook workflows and can lead to undesired or malicious actions within the application, as identified by CWE\u2011863.", "risk_and_exploitability": "The CVSS score is 4.3, indicating low severity. The EPSS score is less than 1%, showing a very low probability of current exploitation, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated API access within a team, suggesting the attack vector is internal or requires compromised credentials. Although the risk appears low, the flaw allows unauthorized execution of playbook runs, potentially compromising application integrity."}}}}, "created": "2026-03-17T09:52:10.475550+00:00", "updated": "2026-03-24T10:49:50.078997+00:00", "vendors": ["mattermost", "mattermost$PRODUCT$mattermost"]}