{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3524", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2026-03-04T16:15:21.152Z", "datePublished": "2026-04-06T12:06:22.092Z", "dateUpdated": "2026-04-07T03:55:35.396Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "1.1.4", "status": "affected", "version": "0", "versionType": "semver"}, {"version": "1.1.5", "status": "unaffected"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Hassan Mohammed"}], "descriptions": [{"lang": "en", "value": "Mattermost Plugin Legal Hold versions <=1.1.4 fail to halt request processing after a failed authorization check in ServeHTTP which allows an authenticated attacker to access, create, download, and delete legal hold data via crafted API requests to the plugin's endpoints. Mattermost Advisory ID: MMSA-2026-00621"}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseSeverity": "HIGH", "baseScore": 8.3}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-862: Missing Authorization", "cweId": "CWE-862"}]}], "references": [{"url": "https://mattermost.com/security-updates", "name": "MMSA-2026-00621", "tags": ["vendor-advisory"]}], "solutions": [{"value": "Update Mattermost Plugins to versions 1.1.5 or higher.", "lang": "en"}], "source": {"advisory": "MMSA-2026-00621", "defect": ["https://mattermost.atlassian.net/browse/MM-67763"], "discovery": "{\"self\"=>\"https://mattermost.atlassian.net/rest/api/2/customFieldOption/10557\", \"value\"=>\"Internal\", \"id\"=>\"10557\"}"}, "title": "Authorization Bypass in Mattermost Legal Hold Plugin Due to Missing Return After Permission Check", "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2026-04-06T12:06:22.092Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-3524"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T03:55:35.396Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3524", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-06T13:51:59.178535Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T13:52:23.480Z"}}], "cna": {"title": "Authorization Bypass in Mattermost Legal Hold Plugin Due to Missing Return After Permission Check", "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-67763"], "advisory": "MMSA-2026-00621", "discovery": "{\"self\"=>\"https://mattermost.atlassian.net/rest/api/2/customFieldOption/10557\", \"value\"=>\"Internal\", \"id\"=>\"10557\"}"}, "credits": [{"lang": "en", "type": "finder", "value": "Hassan Mohammed"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mattermost", "product": "Mattermost", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1.4"}, {"status": "unaffected", "version": "1.1.5"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update Mattermost Plugins to versions 1.1.5 or higher."}], "references": [{"url": "https://mattermost.com/security-updates", "name": "MMSA-2026-00621", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "Mattermost Plugin Legal Hold versions <=1.1.4 fail to halt request processing after a failed authorization check in ServeHTTP which allows an authenticated attacker to access, create, download, and delete legal hold data via crafted API requests to the plugin's endpoints. Mattermost Advisory ID: MMSA-2026-00621"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2026-04-06T12:06:22.092Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3524", "state": "PUBLISHED", "dateUpdated": "2026-04-07T03:55:35.396Z", "dateReserved": "2026-03-04T16:15:21.152Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2026-04-06T12:06:22.092Z", "assignerShortName": "Mattermost"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost Plugin Legal Hold versions <=1.1.4 fail to halt request processing after a failed authorization check in ServeHTTP which allows an authenticated attacker to access, create, download, and delete legal hold data via crafted API requests to the plugin's endpoints. Mattermost Advisory ID: MMSA-2026-00621"}], "id": "CVE-2026-3524", "lastModified": "2026-04-07T13:20:35.010", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}, "published": "2026-04-06T13:17:18.417", "references": [{"source": "responsibledisclosure@mattermost.com", "url": "https://mattermost.com/security-updates"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.4]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "1.1.5"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Mattermost", "source": "cna", "vendor": "Mattermost"}, "product": "mattermost", "vendor": "mattermost"}], "analysis": {"en": {"generated_at": "2026-04-06T15:50:22.406434+00:00", "value": {"mitigation_remediation": ["Upgrade the Mattermost Legal Hold plugin to version 1.1.5 or newer."], "summary": {"action": "Patch Now", "impact": "Authorization bypass allowing unauthorized access to legal hold data"}, "threat_synthesis": {"affected_systems": "Any Mattermost deployment with the Legal Hold plugin version 1.1.4 or older is affected. The core Mattermost server is not directly vulnerable; the issue resides exclusively in the plugin. Administrators should verify plugin versions and upgrade promptly.", "description_and_impact": "The Mattermost Legal Hold plugin suffers from a missing return statement after a failed authorization check in its ServeHTTP method. This flaw results in an authorization bypass that lets any authenticated user invoke the plugin\u2019s API endpoints, enabling them to read, create, download, or delete legal hold records. The weakness corresponds to CWE\u2011862, which denotes improper authorization, and can compromise confidentiality and evidence integrity.", "risk_and_exploitability": "The CVSS score of 8.3 indicates high severity. EPSS data is not available and the attack requires prior authentication to the Mattermost instance, so exploitation would typically come from an internal user or a compromised account. The vulnerability is not listed in CISA\u2019s KEV catalog, suggesting no known public exploitation yet, but the potential impact warrants immediate remediation."}}}}, "created": "2026-04-06T20:14:34.261470+00:00", "updated": "2026-04-06T21:32:49.662764+00:00", "vendors": ["mattermost", "mattermost$PRODUCT$mattermost"]}