MEDIUM 4.3

GHSA-6cfr-wp44-6qmv

Mattermost has an Incorrect Authorization issue

Details

Mattermost versions 11.5.x <= 11.5.1 fail to validate team-level run_create permission against the target team when creating a playbook run which allows an authenticated team member to create runs in teams where they lack permission via specifying a different team ID in the run creation API request. Mattermost Advisory ID: MMSA-2026-00629.

Are you affected?

Enter the version of the package you're using.

Affected packages

Go / github.com/mattermost/mattermost/server/v8

Introduced in: 8.0.0-20260304132957-9f2616376582 Fixed in: 8.0.0-20260320113102-f2b3d1c6a945

Fix go get github.com/mattermost/mattermost/server/v8@v8.0.0-20260320113102-f2b3d1c6a945

References

https://nvd.nist.gov/vuln/detail/CVE-2026-4055 [ADVISORY]
https://github.com/mattermost/mattermost [PACKAGE]
https://mattermost.com/security-updates [WEB]