{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0998", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2026-01-15T15:58:22.233Z", "datePublished": "2026-02-16T09:54:24.732Z", "dateUpdated": "2026-02-17T15:00:44.691Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "11.1.2", "status": "affected", "version": "11.1.0", "versionType": "semver"}, {"lessThanOrEqual": "10.11.9", "status": "affected", "version": "10.11.0", "versionType": "semver"}, {"lessThanOrEqual": "11.2.1", "status": "affected", "version": "11.2.0", "versionType": "semver"}, {"version": "11.3.0", "status": "unaffected"}, {"version": "11.1.3", "status": "unaffected"}, {"version": "10.11.10", "status": "unaffected"}, {"version": "11.2.2", "status": "unaffected"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daw10"}], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 and Mattermost Plugin Zoom versions <=1.11.0 fail to validate user identity and post ownership in the {{/api/v1/askPMI}} endpoint which allows unauthorized users to start Zoom meetings as any user and overwrite arbitrary posts via direct API calls with manipulated user IDs and post data.. Mattermost Advisory ID: MMSA-2025-00534"}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseSeverity": "MEDIUM", "baseScore": 4.3}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-862: Missing Authorization", "cweId": "CWE-862"}]}], "references": [{"url": "https://mattermost.com/security-updates", "name": "MMSA-2025-00534", "tags": ["vendor-advisory"]}], "solutions": [{"value": "Update Mattermost to versions 11.3.0, 11.1.3, 10.11.10, 11.2.2 or higher. Alternatively, update Mattermost Zoom Plugin to version 1.12.0 or higher", "lang": "en"}], "source": {"advisory": "MMSA-2025-00534", "defect": ["https://mattermost.atlassian.net/browse/MM-66136"], "discovery": "EXTERNAL"}, "title": "Mattermost Zoom Plugin allows unauthorized meeting creation and post modification via insufficient API access controls", "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2026-02-16T09:54:24.732Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-17T15:00:37.795086Z", "id": "CVE-2026-0998", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T15:00:44.691Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0998", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-17T15:00:37.795086Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T15:00:41.277Z"}}], "cna": {"title": "Mattermost Zoom Plugin allows unauthorized meeting creation and post modification via insufficient API access controls", "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-66136"], "advisory": "MMSA-2025-00534", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "daw10"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mattermost", "product": "Mattermost", "versions": [{"status": "affected", "version": "11.1.0", "versionType": "semver", "lessThanOrEqual": "11.1.2"}, {"status": "affected", "version": "10.11.0", "versionType": "semver", "lessThanOrEqual": "10.11.9"}, {"status": "affected", "version": "11.2.0", "versionType": "semver", "lessThanOrEqual": "11.2.1"}, {"status": "unaffected", "version": "11.3.0"}, {"status": "unaffected", "version": "11.1.3"}, {"status": "unaffected", "version": "10.11.10"}, {"status": "unaffected", "version": "11.2.2"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update Mattermost to versions 11.3.0, 11.1.3, 10.11.10, 11.2.2 or higher. Alternatively, update Mattermost Zoom Plugin to version 1.12.0 or higher"}], "references": [{"url": "https://mattermost.com/security-updates", "name": "MMSA-2025-00534", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 and Mattermost Plugin Zoom versions <=1.11.0 fail to validate user identity and post ownership in the {{/api/v1/askPMI}} endpoint which allows unauthorized users to start Zoom meetings as any user and overwrite arbitrary posts via direct API calls with manipulated user IDs and post data.. Mattermost Advisory ID: MMSA-2025-00534"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2026-02-16T09:54:24.732Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0998", "state": "PUBLISHED", "dateUpdated": "2026-02-17T15:00:44.691Z", "dateReserved": "2026-01-15T15:58:22.233Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2026-02-16T09:54:24.732Z", "assignerShortName": "Mattermost"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "92B0F8BD-06A1-4B39-95C5-4FB5A195F1C4", "versionEndExcluding": "10.11.10", "versionStartIncluding": "10.11.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "F28AD5DC-E336-4DD3-BC31-AC924190433C", "versionEndExcluding": "11.1.3", "versionStartIncluding": "11.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "D98EAFB2-8055-4893-835B-30A99ED97892", "versionEndExcluding": "11.2.2", "versionStartIncluding": "11.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mattermost:zoom:*:*:*:*:*:mattermost:*:*", "matchCriteriaId": "795B314D-69ED-4BB3-9F72-C9441FFA3852", "versionEndIncluding": "1.11.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 and Mattermost Plugin Zoom versions <=1.11.0 fail to validate user identity and post ownership in the {{/api/v1/askPMI}} endpoint which allows unauthorized users to start Zoom meetings as any user and overwrite arbitrary posts via direct API calls with manipulated user IDs and post data.. Mattermost Advisory ID: MMSA-2025-00534"}, {"lang": "es", "value": "Las versiones de Mattermost 11.1.x &lt;= 11.1.2, 10.11.x &lt;= 10.11.9, 11.2.x &lt;= 11.2.1 y las versiones del plugin de Mattermost Zoom &lt;=1.11.0 no validan la identidad del usuario y la propiedad de la publicaci\u00f3n en el endpoint {{/api/v1/askPMI}}, lo que permite a usuarios no autorizados iniciar reuniones de Zoom como cualquier usuario y sobrescribir publicaciones arbitrarias a trav\u00e9s de llamadas directas a la API con ID de usuario y datos de publicaci\u00f3n manipulados. ID de aviso de Mattermost: MMSA-2025-00534"}], "id": "CVE-2026-0998", "lastModified": "2026-02-18T20:22:51.917", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}, "published": "2026-02-16T10:16:07.983", "references": [{"source": "responsibledisclosure@mattermost.com", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.1.0,11.1.2]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[10.11.0,10.11.9]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.2.0,11.2.1]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "11.3.0"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "11.1.3"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "10.11.10"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "11.2.2"}}], "product": "mattermost", "vendor": "mattermost"}], "analysis": {"en": {"generated_at": "2026-04-17T19:09:46.369961+00:00", "value": {"mitigation_remediation": ["Upgrade Mattermost to version 11.3.0, 11.1.3, 10.11.10, 11.2.2, or later.", "Upgrade the Mattermost Zoom plugin to version 1.12.0 or later.", "If upgrading is not immediately possible, disable or remove the Zoom plugin until a patch is applied to prevent unauthorized access to the /api/v1/askPMI endpoint."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Zoom Meeting Creation and Post Modification"}, "threat_synthesis": {"affected_systems": "Mattermost servers running versions 10.11.x (up to 10.11.9), 11.1.x (up to 11.1.2), and 11.2.x (up to 11.2.1) as well as the Mattermost Zoom plugin version 1.11.0 or earlier are affected. Upgrading the core Mattermost server to 11.3.0, 11.1.3, 10.11.10, or 11.2.2 and later, or upgrading the Zoom plugin to 1.12.0 and later, fixes the issue.", "description_and_impact": "The vulnerability arises from inadequate validation of user identity and post ownership when the Mattermost Zoom plugin processes API requests. An attacker who can send crafted requests to the /api/v1/askPMI endpoint may specify any user ID and post data, causing the system to start Zoom meetings as if they were the specified user and to overwrite arbitrary posts. The primary impact is the ability to impersonate other users, interfere with collaboration content, and potentially spread misinformation or disrupt communication. The weakness is classified as a lack of proper access control (CWE-862).", "risk_and_exploitability": "The CVSS score of 4.3 indicates a low overall severity, and the EPSS score of less than 1% suggests a very low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Attackers would need the ability to send API requests to the affected endpoint, which is typically restricted to authenticated users with API access. However, because the plugin fails to enforce ownership checks, a malicious user with API credentials can target any user ID, making the risk more pronounced in environments where API keys are widely available. The most likely attack vector involves manually crafting HTTP requests to the /api/v1/askPMI endpoint, specifying arbitrary user identifiers and post payloads."}}}}, "created": "2026-02-16T12:00:57.572731+00:00", "updated": "2026-04-17T19:15:26.254461+00:00", "vendors": ["mattermost", "mattermost$PRODUCT$mattermost"]}