CVE-2026-26304 Overview
CVE-2026-26304 is an Authorization Bypass vulnerability affecting Mattermost Server that allows team members to create unauthorized playbook runs via the playbook run API. The vulnerability occurs because Mattermost fails to verify the run_create permission when an empty playbookId is provided, enabling users without proper authorization to initiate playbook runs they should not have access to.
Critical Impact
Team members can bypass authorization controls to create unauthorized playbook runs, potentially disrupting incident response workflows and accessing sensitive operational data.
Affected Products
- Mattermost Server versions 11.3.x <= 11.3.0
- Mattermost Server versions 11.2.x <= 11.2.2
Discovery Timeline
- 2026-03-16 - CVE-2026-26304 published to NVD
- 2026-03-18 - Last updated in NVD database
Technical Details for CVE-2026-26304
Vulnerability Analysis
This vulnerability stems from an improper access control flaw (CWE-863: Incorrect Authorization) within Mattermost's playbook run API. The core issue lies in the permission validation logic that fails to properly verify the run_create permission when processing requests with an empty playbookId parameter.
Under normal circumstances, when a user attempts to create a playbook run, Mattermost should validate that the requesting user has the appropriate run_create permission for the specified playbook. However, when an empty or null playbookId is submitted, the authorization check is bypassed entirely, allowing any authenticated team member to create runs regardless of their actual permission level.
This represents a classic case of improper input handling combined with missing authorization checks, where edge cases in the API input validation create security gaps in the access control mechanism.
Root Cause
The root cause is insufficient permission verification in the playbook run creation endpoint. The authorization logic appears to be tightly coupled to the presence of a valid playbookId, meaning that when this parameter is empty, the permission check either fails silently or is skipped entirely. This indicates a missing validation step that should enforce authorization regardless of whether a playbook ID is provided.
Attack Vector
The attack vector is network-based and requires low-privilege authenticated access. An attacker with basic team membership can exploit this vulnerability by sending specially crafted API requests to the playbook run endpoint with an empty playbookId parameter. This is a relatively straightforward attack that requires no user interaction and has low complexity.
An authenticated team member would craft a POST request to the playbook run API endpoint, omitting or providing an empty value for the playbookId field. The server processes this request without verifying whether the user has run_create permissions, resulting in unauthorized playbook run creation. Technical implementation details are available in the Mattermost Security Updates advisory.
Detection Methods for CVE-2026-26304
Indicators of Compromise
- API requests to playbook run creation endpoints with empty or null playbookId values
- Unusual playbook run creation activity from users who should not have run_create permissions
- Audit logs showing playbook runs created without associated playbook identifiers
Detection Strategies
- Monitor API access logs for playbook run creation requests with missing or empty playbookId parameters
- Implement alerting for playbook run creation events from users lacking explicit run_create permissions
- Review audit trails for anomalous patterns in playbook run creation frequency or source users
Monitoring Recommendations
- Enable verbose logging on the Mattermost Server playbook API endpoints
- Configure SIEM rules to detect API calls with empty required parameters to sensitive endpoints
- Establish baseline metrics for playbook run creation activity to identify anomalous behavior
How to Mitigate CVE-2026-26304
Immediate Actions Required
- Upgrade Mattermost Server to version 11.3.1 or later (for 11.3.x branch) or version 11.2.3 or later (for 11.2.x branch)
- Review audit logs for any suspicious playbook run creation activity
- Verify playbook run permissions are correctly configured for all team members
- Consider temporarily restricting API access to the playbook run endpoint if immediate patching is not feasible
Patch Information
Mattermost has released security patches to address this vulnerability. The fix ensures that run_create permission verification is enforced regardless of whether a playbookId is provided. Updated versions include proper authorization checks that validate user permissions before allowing playbook run creation.
Refer to the Mattermost Security Updates page for detailed patch information and download links. The advisory tracking this issue is MMSA-2025-00542.
Workarounds
- Restrict access to the playbook API endpoints at the network or reverse proxy level until patches can be applied
- Implement additional API gateway rules to reject playbook run creation requests with empty playbookId values
- Review and limit team membership to only essential users until the vulnerability is patched
# Example: Restrict playbook API access at nginx level (temporary workaround)
# Add to nginx configuration to block requests with empty playbookId
location /api/v4/runs {
if ($request_body ~* "\"playbookId\":\s*\"\"") {
return 403;
}
proxy_pass http://mattermost_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
