Access Control Bypass in Mattermost Playbook Configuration
CVE-2026-4286

3.1LOW

Key Information:

Vendor: Mattermost
Status: Mattermost
Vendor: CVE Published:; 18 May 2026

What is CVE-2026-4286?

Mattermost versions 11.5.x up to 11.5.1 and 10.11.x up to 10.11.13 contain a vulnerability that allows users with only the Manage Playbook Configurations permission to alter a playbook's associated team ID. This occurs during updates, enabling unauthorized changes that circumvent member management restrictions through the PUT API. This issue potentially compromises the intended security posture of playbook management.

Affected Version(s)

Mattermost 11.5.0 <= 11.5.1

Mattermost 10.11.0 <= 10.11.13

Mattermost 11.6.0

References

https://mattermost.com/security-updates

vendor-advisory

CVSS V3.1

Score:

3.1

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 18, 2026
Vulnerability Reserved
Mar 16, 2026

Credit

0x7oda7123

CVE-2026-4286 Data

JSON