Primary

Context

Mattermost Playbook Run API Unauthorized Access Vulnerability

Vulnerability

Patched

A vulnerability exists in Mattermost versions 11.3.x through 11.3.0 and 11.2.x through 11.2.2, where the application fails to properly verify the 'run_create' permission for empty 'playbookId' fields. This oversight allows team members to create unauthorized playbook runs via the Playbook Run API.

Impact

Exploitation of this vulnerability could lead to unauthorized creation of playbook runs, potentially allowing users to execute actions or workflows that they should not have permission to manage.

Remediation

Users can upgrade to Mattermost version 11.5.0 to address this vulnerability.

Added: Mar 16, 2026, 9:11 PM

Updated: Mar 16, 2026, 9:11 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.2

remediation

7.7

relevance

4.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.2

remediation

7.7

relevance

4.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost Playbook Run API Unauthorized Access Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating