8.8

CVE-2026-3524

EPSS 0.02%
Veröffentlicht 06.04.2026 12:06:22
Zuletzt bearbeitet 07.04.2026 13:20:35
Quelle responsibledisclosure@mattermo
CVE-Watchlists
Login
Unerledigt
Login

Authorization Bypass in Mattermost Legal Hold Plugin Due to Missing Return After Permission Check

Mattermost Plugin Legal Hold versions <=1.1.4 fail to halt request processing after a failed authorization check in ServeHTTP which allows an authenticated attacker to access, create, download, and delete legal hold data via crafted API requests to the plugin's endpoints. Mattermost Advisory ID: MMSA-2026-00621

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerMattermost

≫

Produkt Mattermost

Default Statusunaffected

Version <= 1.1.4

Version 0

Status affected

Version 1.1.5

Status unaffected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.05

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
responsibledisclosure@mattermost.com	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://mattermost.com/security-updates

https://nvd.nist.gov/vuln/detail/CVE-2026-3524

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-3524

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-3524

EUVD