CVE-2026-0997 - Vulnerability Details

- Mattermost Zoom Plugin channel preference API lacks authorization checks

Description

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 and Mattermost Plugin Zoom versions <=1.11.0 fail to validate the authenticated user when processing {{/plugins/zoom/api/v1/channel-preference}}, which allows any logged-in user to change Zoom meeting restrictions for arbitrary channels via crafted API requests.. Mattermost Advisory ID: MMSA-2025-00558

Published: 2026-02-16

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Mattermost Server and the Zoom plugin contain a user‑validation flaw when the /plugins/zoom/api/v1/channel-preference endpoint is accessed. Because the authenticated user is not correctly checked, any logged‑in user can craft an API request to alter Zoom meeting restrictions for any channel. This allows an attacker to bypass channel‑level permissions and modify meeting settings that should be controlled by channel administrators, potentially disrupting communications or enabling malicious meeting configurations.

Affected Systems

Affected installations include Mattermost Server versions 10.11.x up to 10.11.9, 11.1.x up to 11.1.2, and 11.2.x up to 11.2.1, as well as Mattermost Plugin Zoom versions up to 1.11.0.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate impact, while the EPSS score of <1% suggests low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. An attacker must first authenticate to Mattermost but thereafter can send crafted requests from any channel to change Zoom restrictions. There is no need for external network access beyond normal authenticated usage, so the primary requirement is an existing logged‑in account and knowledge of the vulnerable API endpoint.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mattermost

unaffected

Version	Status	Constraints
`11.1.0`	affected	≤ 11.1.2
`10.11.0`	affected	≤ 10.11.9
`11.2.0`	affected	≤ 11.2.1
`11.3.0`	unaffected	—
`11.1.3`	unaffected	—
`10.11.10`	unaffected	—
`11.2.2`	unaffected	—

Configuration 1 [-]

OR	cpe:2.3:a:mattermost:mattermost_server::::::::
	cpe:2.3:a:mattermost:mattermost_server::::::::
	cpe:2.3:a:mattermost:mattermost_server::::::::
	cpe:2.3:a:mattermost:zoom::::::mattermost::*

No data.

Vendor Product Confidence Versions

Mattermost

—

Version	Status	Scheme	Platform
`[11.1.0,11.1.2]`	affected	semver	—
`[10.11.0,10.11.9]`	affected	semver	—
`[11.2.0,11.2.1]`	affected	semver	—
`11.3.0`	unaffected	semver	—
`11.1.3`	unaffected	semver	—
`10.11.10`	unaffected	semver	—
`11.2.2`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Update Mattermost to versions 11.3.0, 11.1.3, 10.11.10, 11.2.2 or higher. Alternatively, update Mattermost Plugin Zoom to version 1.12.0 or higher

OpenCVE Recommended Actions

Upgrade Mattermost Server to 10.11.10, 11.1.3, 11.2.2, or 11.3.0 or newer.
Upgrade Mattermost Zoom Plugin to 1.12.0 or newer.
Remove or disable the Zoom plugin if the functionality is not required.

Generated by OpenCVE AI on April 17, 2026 at 19:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-2phx-frhf-xr55	Mattermost Plugin Zoom allows any logged-in user to change Zoom meeting restrictions for arbitrary channels

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00042.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://mattermost.com/security-updates

History

Wed, 18 Feb 2026 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mattermost mattermost Server Mattermost zoom
CPEs		cpe:2.3:a:mattermost:mattermost_server:::::::: cpe:2.3:a:mattermost:zoom::::::mattermost::*
Vendors & Products		Mattermost mattermost Server Mattermost zoom

Tue, 17 Feb 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 16 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mattermost Mattermost mattermost
Vendors & Products		Mattermost Mattermost mattermost

Mon, 16 Feb 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 and Mattermost Plugin Zoom versions <=1.11.0 fail to validate the authenticated user when processing {{/plugins/zoom/api/v1/channel-preference}}, which allows any logged-in user to change Zoom meeting restrictions for arbitrary channels via crafted API requests.. Mattermost Advisory ID: MMSA-2025-00558
Title		Mattermost Zoom Plugin channel preference API lacks authorization checks
Weaknesses		CWE-863
References		https://mattermost.com/security-updates
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Mattermost Mattermost Mattermost Server Zoom

MITRE

Status: PUBLISHED

Assigner: Mattermost

Published: 2026-02-16T09:58:41.450Z

Updated: 2026-02-17T15:00:18.867Z

Reserved: 2026-01-15T15:55:56.839Z

Link: CVE-2026-0997

Vulnrichment

Updated: 2026-02-17T15:00:15.835Z

NVD

Status : Analyzed

Published: 2026-02-16T10:16:07.793

Modified: 2026-02-18T20:23:34.847

Link: CVE-2026-0997

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T19:15:26Z

Weaknesses

CWE-863

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object