Mattermost Playbooks API Permission Vulnerability Allowing Unauthorized Deletion of Posts

Vulnerability

A vulnerability exists in Mattermost versions 10.4.x through 10.4.2, 10.5.x through 10.5.0, and 9.11.x through 9.11.10. The issue arises from improper validation of permissions for the API endpoint '/plugins/playbooks/api/v0/signal/keywords/ignore-thread'. This flaw allows any user to delete posts generated by the Playbooks bot, regardless of channel access or permissions.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of posts created by the Playbooks bot, potentially disrupting workflows and communication.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

7.4

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

7.4

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost Playbooks API Permission Vulnerability Allowing Unauthorized Deletion of Posts

Vulnerability

Impact

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating