CVE-2026-6343 Overview
CVE-2026-6343 is an authorization flaw in Mattermost Server that allows authenticated users to access public playbooks without holding the required public/private permissions. The vulnerability stems from missing permission checks on the /get endpoint used to retrieve playbook data. Mattermost tracks the issue under advisory MMSA-2026-00591 and classifies it under CWE-863: Incorrect Authorization. Affected releases include Mattermost Server 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, and 11.4.x <= 11.4.3. Any team member with a valid session can enumerate playbook content intended for restricted roles.
Critical Impact
Authenticated Mattermost users can read public playbooks they should not have access to, exposing operational runbooks, incident response procedures, and sensitive workflow content.
Affected Products
- Mattermost Server 11.5.x up to and including 11.5.1
- Mattermost Server 11.4.x up to and including 11.4.3
- Mattermost Server 10.11.x up to and including 10.11.13
Discovery Timeline
- 2026-05-18 - CVE-2026-6343 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-6343
Vulnerability Analysis
The flaw resides in Mattermost's playbooks feature, which allows teams to codify repeatable workflows such as incident response procedures. Playbooks support visibility controls that distinguish public playbooks from private playbooks scoped to specific members. The vulnerable releases fail to enforce these visibility checks when the /get endpoint is invoked.
As a result, a logged-in user without the dedicated public or private playbook permissions can request playbook records and receive their contents. The authorization layer evaluates session validity but skips the role and membership evaluation that would normally gate read access. This breaks the principle of least privilege within the Mattermost workspace.
The attack requires network access to the Mattermost server and a low-privilege authenticated session. No user interaction is needed, and the scope remains unchanged because the actor stays within their existing trust boundary while reading data they should not see. Confidentiality is the only affected property; integrity and availability are not impacted.
Root Cause
The root cause is a missing authorization check inside the playbook retrieval handler. The endpoint resolves the playbook by identifier and returns the object without consulting the visibility policy that distinguishes public and private playbooks from a user's permission set, matching the pattern described by [CWE-863].
Attack Vector
An attacker authenticates to the Mattermost server with any standard user account. The attacker issues a request to the playbook /get route referencing a known or enumerated playbook identifier. The server returns the playbook content despite the user lacking the configured public/private playbook permissions. No verified proof-of-concept is published, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
For technical specifics, refer to the Mattermost Security Updates page.
Detection Methods for CVE-2026-6343
Indicators of Compromise
- Unexpected GET requests to playbook retrieval API routes from user accounts that are not members of the playbook's team or role group.
- Spikes in playbook read activity from accounts that have never previously interacted with the playbooks feature.
- Audit log entries showing playbook access by users without the playbook_public_manage_members or equivalent permission.
Detection Strategies
- Correlate Mattermost audit logs with role assignments to flag playbook reads by users lacking the corresponding permission.
- Baseline normal playbook access patterns per user and alert on deviations such as bulk enumeration of playbook identifiers.
- Ingest Mattermost application logs into a SIEM and write rules that match the vulnerable /get route against the requesting user's permission set.
Monitoring Recommendations
- Enable verbose API audit logging on Mattermost servers and retain logs for at least 90 days.
- Forward Mattermost logs to a centralized logging platform and alert on playbook access anomalies.
- Review playbook membership and visibility settings on a recurring schedule to confirm enforcement after upgrade.
How to Mitigate CVE-2026-6343
Immediate Actions Required
- Upgrade Mattermost Server to a release above 11.5.1, 11.4.3, or 10.11.13 per the Mattermost Security Updates advisory.
- Inventory all playbooks and identify any that contain sensitive incident response or operational content that may have been exposed.
- Rotate any secrets, tokens, or credentials referenced inside playbook steps if exposure is suspected.
Patch Information
Mattermost addressed the issue under advisory MMSA-2026-00591. Administrators should apply the fixed releases referenced on the Mattermost Security Updates page. The patch reinstates the public/private permission check on the playbook /get handler so that retrieval respects configured visibility.
Workarounds
- Restrict access to the Mattermost server to trusted networks until patching is complete.
- Temporarily delete or archive playbooks containing sensitive content if upgrade cannot be performed immediately.
- Reduce the number of users with general workspace access to limit the population able to abuse the missing check.
# Verify the running Mattermost Server version before and after upgrade
mattermost version
# Example upgrade flow for a Linux tarball installation
systemctl stop mattermost
tar -xvzf mattermost-<fixed-version>-linux-amd64.tar.gz -C /opt/
systemctl start mattermost
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
