CVE-2026-4055 Mattermost CVE debrief

Who should care

Mattermost administrators, security teams, and organizations using Mattermost playbooks or team-scoped automation should review this issue, especially where users can create playbook runs across multiple teams or where team membership and permissions are tightly segmented.

Technical summary

The vulnerability is an authorization check failure in the playbook run creation path. The NVD description states that Mattermost versions 11.5.x <= 11.5.1 do not validate the run_create permission against the intended target team. As a result, an authenticated user with access to one team may be able to submit a request that names a different team ID and create a playbook run there despite lacking the required permission. NVD lists the weakness as CWE-863 and the CVSS vector as AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N.

Defensive priority

Medium

Recommended defensive actions

• Review the Mattermost security updates page referenced by NVD and apply the vendor fix or upgrade to a patched release as soon as it is available.
• Audit playbook run creation permissions and confirm that team-level authorization is enforced for every target team.
• Limit who can create playbook runs in sensitive teams until patched, and remove unnecessary cross-team access.
• Monitor Mattermost audit logs and application logs for unusual playbook run creation requests that reference unexpected team IDs.
• Verify that your deployed Mattermost version is within the affected 11.5.x through 11.5.1 range before and after remediation.

Evidence notes

All claims are limited to the supplied NVD record and its referenced Mattermost security updates page. The NVD entry identifies CVE-2026-4055 as affecting Mattermost versions 11.5.x <= 11.5.1, describes the permission-validation failure, assigns CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, and maps the issue to CWE-863. No fixed version or exploit details were provided in the supplied corpus.

Official resources