CVE-2026-4055
Analyzed Analyzed - Analysis Complete
Unauthorized Playbook Run Creation in Mattermost

Publication date: 2026-05-21

Last updated on: 2026-05-21

Assigner: Mattermost, Inc.

Description
Mattermost versions 11.5.x <= 11.5.1 fail to validate team-level run_create permission against the target team when creating a playbook run which allows an authenticated team member to create runs in teams where they lack permission via specifying a different team ID in the run creation API request. Mattermost Advisory ID: MMSA-2026-00629
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-21
Last Modified
2026-05-21
Generated
2026-06-10
AI Q&A
2026-05-21
EPSS Evaluated
2026-06-09
NVD
CVE-2026-4055
EUVD
EUVD-2026-31221
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
mattermost mattermost_server From 10.11.0 (inc) to 10.11.17 (exc)
mattermost mattermost_server From 11.5.0 (inc) to 11.5.5 (exc)
mattermost mattermost_server From 11.6.0 (inc) to 11.6.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows an authenticated team member to create playbook runs in teams where they lack permission by specifying a different team ID. This improper permission validation could lead to unauthorized actions within the system.

While the CVE description does not explicitly mention compliance with standards like GDPR or HIPAA, unauthorized access or actions within a system can potentially lead to violations of data protection and privacy regulations if sensitive data or processes are affected.

Therefore, this vulnerability could negatively impact compliance with such regulations by enabling privilege escalation or unauthorized operations, which are generally against the principles of least privilege and access control required by these standards.

Executive Summary

This vulnerability exists in Mattermost versions 11.5.x up to and including 11.5.1. It occurs because the software fails to properly validate the team-level run_create permission against the target team when creating a playbook run. As a result, an authenticated team member can create runs in teams where they do not have permission by specifying a different team ID in the run creation API request.

Impact Analysis

The impact of this vulnerability is that an authenticated user with limited permissions can create playbook runs in teams where they should not have the ability to do so. This could lead to unauthorized actions or changes within teams, potentially disrupting workflows or causing confusion by allowing users to operate beyond their intended access level.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Mattermost to a version later than 11.5.1 where the issue has been fixed.

Additionally, monitor Mattermost security updates and advisories regularly to stay informed about patches and fixes.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4055. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart