CVE-2026-4286

Name of the Vulnerable Software and Affected Versions Mattermost versions 11.5.0 through 11.5.1 Mattermost versions 10.11.0 through 10.11.13

Description An issue exists where the system fails to verify if the team id is modified during playbook updates. This allows users possessing only the Manage Playbook Configurations permission to change the team associated with a playbook, thereby bypassing restrictions intended to manage members via the 'PUT' API endpoint.

Recommendations Update Mattermost versions 11.5.0 through 11.5.1 to a version later than 11.5.1. Update Mattermost versions 10.11.0 through 10.11.13 to a version later than 10.11.13.