CVE-2026-4286
LOW
NVD
CVSS Score
3.1
Severity
LOW
Published
May 18, 2026
Vendor
unknown
Description
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to check if { {team_id} } was being changed when updating playbooks, allowing users with only { {Manage Playbook Configurations} } permission to change a playbook's team, bypassing manage members restriction via PUT api. Mattermost Advisory ID: MMSA-2025-00552