CVE-2026-4055 Overview
CVE-2026-4055 is an authorization flaw in Mattermost versions 11.5.x <= 11.5.1 affecting the playbook run creation API. The application fails to validate the run_create permission against the target team when an authenticated user creates a playbook run. An authenticated team member can supply a different team ID in the run creation request and create runs in teams where they lack permission. Mattermost tracks this issue as advisory MMSA-2026-00629. The weakness maps to CWE-863: Incorrect Authorization.
Critical Impact
Authenticated users can create playbook runs in teams they do not belong to, breaking team-level access boundaries and enabling cross-team data integrity violations.
Affected Products
- Mattermost Server 11.5.0
- Mattermost Server 11.5.1
- Mattermost Playbooks functionality within affected releases
Discovery Timeline
- 2026-05-21 - CVE CVE-2026-4055 published to NVD
- 2026-05-21 - Last updated in NVD database
Technical Details for CVE-2026-4055
Vulnerability Analysis
The vulnerability sits in the playbook run creation workflow. Mattermost exposes an API endpoint that accepts a team identifier in the request payload. The server checks whether the calling user is authenticated and has playbook permissions, but it does not verify that the run_create permission applies to the team specified in the request body. As a result, the permission check evaluates the wrong scope.
An attacker with a valid Mattermost account on any team can craft a run creation request that targets an arbitrary team ID. The server processes the request as if the user held membership in that team. This breaks the multi-tenant isolation model that Mattermost teams are designed to enforce.
The impact is limited to integrity. An attacker cannot read confidential channel content or disrupt service availability through this flaw alone. However, the ability to create playbook runs in foreign teams can be chained with social engineering or used to seed misleading incident records.
Root Cause
The root cause is a missing authorization check against the target resource. The server validates the permission against the user's session context rather than against the team identifier supplied in the API request. This is a textbook instance of broken access control where the trust boundary between the authenticated principal and the requested resource is not enforced.
Attack Vector
The attack vector is network-based and requires low privileges. An authenticated user sends a POST request to the playbook run creation endpoint with a manipulated team_id field referencing a team they do not belong to. No user interaction is required. Exploitation requires only standard API access and knowledge of a target team ID.
No public proof-of-concept exploit is currently available. See the Mattermost Security Updates advisory for additional technical context.
Detection Methods for CVE-2026-4055
Indicators of Compromise
- Playbook run creation events where the requesting user is not a member of the target team
- API requests to playbook run endpoints containing team_id values inconsistent with the authenticated user's team memberships
- Unexpected playbook runs appearing in teams without corresponding user activity from team members
Detection Strategies
- Audit Mattermost application logs for playbook run creation events and correlate the user_id against current team membership records
- Compare the team_id parameter in run creation API calls with the requesting user's authorized team list
- Flag any HTTP requests to playbook APIs where the team specified in the payload differs from the team context in the user session
Monitoring Recommendations
- Enable verbose audit logging for the playbooks plugin and forward events to a central SIEM
- Build alerts on anomalous playbook run creation patterns, especially runs created in teams with low historical activity from the initiating user
- Review service account and bot account activity that interacts with the playbook run API
How to Mitigate CVE-2026-4055
Immediate Actions Required
- Upgrade Mattermost Server to a version above 11.5.1 that addresses MMSA-2026-00629
- Audit existing playbook runs in the 11.5.x window for entries created by users outside the owning team
- Rotate any sensitive data exposed through unauthorized playbook runs and notify affected team owners
Patch Information
Mattermost has released fixed versions addressing advisory MMSA-2026-00629. Administrators should consult the Mattermost Security Updates page for the specific patched release that corresponds to their deployment branch and apply it through the standard upgrade process.
Workarounds
- Restrict access to the playbooks plugin to trusted users only until the patch is applied
- Disable the playbooks plugin in environments where it is not actively required
- Apply network-level controls or reverse proxy rules that audit and constrain access to the /plugins/playbooks/api/ endpoints
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
