CVE-2026-0997

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 and Mattermost Plugin Zoom versions <=1.11.0 fail to validate the authenticated user when processing {{/plugins/zoom/api/v1/channel-preference}}, which allows any logged-in user to change Zoom meeting restrictions for arbitrary channels via crafted API requests.. Mattermost Advisory ID: MMSA-2025-00558

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://mattermost.com/security-updates	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mattermost:mattermost_server::::::::
	cpe:2.3:a:mattermost:mattermost_server::::::::
	cpe:2.3:a:mattermost:mattermost_server::::::::
	cpe:2.3:a:mattermost:zoom::::::mattermost::*

History

No history.

Information

Published : 2026-02-16 10:16

Updated : 2026-02-18 20:23

NVD link : CVE-2026-0997

Mitre link : CVE-2026-0997

CVE.ORG link : CVE-2026-0997

JSON object : View

Products Affected

mattermost

mattermost_server
zoom

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2026-0997", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "responsibledisclosure@mattermost.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2026-02-16T10:16:07.793", "references": [{"url": "https://mattermost.com/security-updates", "tags": ["Vendor Advisory"], "source": "responsibledisclosure@mattermost.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "responsibledisclosure@mattermost.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 and Mattermost Plugin Zoom versions <=1.11.0 fail to validate the authenticated user when processing {{/plugins/zoom/api/v1/channel-preference}}, which allows any logged-in user to change Zoom meeting restrictions for arbitrary channels via crafted API requests.. Mattermost Advisory ID: MMSA-2025-00558"}, {"lang": "es", "value": "Las versiones de Mattermost 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 y las versiones del plugin de Mattermost Zoom <=1.11.0 no validan al usuario autenticado al procesar {{/plugins/zoom/api/v1/channel-preference}}, lo que permite a cualquier usuario con sesi\u00f3n iniciada cambiar las restricciones de las reuniones de Zoom para canales arbitrarios a trav\u00e9s de solicitudes de API manipuladas. ID de aviso de Mattermost: MMSA-2025-00558."}], "lastModified": "2026-02-18T20:23:34.847", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "92B0F8BD-06A1-4B39-95C5-4FB5A195F1C4", "versionEndExcluding": "10.11.10", "versionStartIncluding": "10.11.0"}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F28AD5DC-E336-4DD3-BC31-AC924190433C", "versionEndExcluding": "11.1.3", "versionStartIncluding": "11.1.0"}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D98EAFB2-8055-4893-835B-30A99ED97892", "versionEndExcluding": "11.2.2", "versionStartIncluding": "11.2.0"}, {"criteria": "cpe:2.3:a:mattermost:zoom:*:*:*:*:*:mattermost:*:*", "vulnerable": true, "matchCriteriaId": "795B314D-69ED-4BB3-9F72-C9441FFA3852", "versionEndIncluding": "1.11.0"}], "operator": "OR"}]}], "sourceIdentifier": "responsibledisclosure@mattermost.com"}