CVE-2026-4286 Mattermost CVE debrief

Who should care

Mattermost administrators, security teams, and anyone delegating Playbook Configuration permissions should review this issue, especially in deployments that separate playbook management from team membership control.

Technical summary

The flaw is an authorization check failure tied to playbook updates: the system did not confirm whether team_id was being modified before accepting the request. As a result, a user who could manage playbook configurations could alter a playbook’s team association even without the broader permissions normally required for team/member management. NVD lists the weakness as CWE-863 (Incorrect Authorization).

Defensive priority

Low, but patch promptly during normal maintenance if your Mattermost deployment uses playbooks and grants Manage Playbook Configurations to non-admin users.

Recommended defensive actions

• Upgrade Mattermost Server to a fixed release: 10.11.14 or later, or 11.5.2 or later.
• Review which users or roles have Manage Playbook Configurations permission and reduce it where practical.
• Audit playbook configuration changes, especially any team reassignment activity, for unexpected modifications.
• Validate that team membership and playbook configuration permissions are still separated as intended in your deployment.
• Monitor vendor security updates and confirm all affected instances are updated consistently.

Evidence notes

Based only on the supplied NVD record and the linked Mattermost security updates reference. NVD marks the CVE as analyzed with CVSS 3.1 vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N and lists vulnerable CPE ranges for Mattermost Server 10.11.0-10.11.13 and 11.5.0-11.5.1. The supplied vendor reference identifies CWE-863. No KEV listing was provided in the source corpus.

Official resources