The vulnerability arises from inadequate validation of user identity and post ownership when the Mattermost Zoom plugin processes API requests. An attacker who can send crafted requests to the /api/v1/askPMI endpoint may specify any user ID and post data, causing the system to start Zoom meetings as if they were the specified user and to overwrite arbitrary posts. The primary impact is the ability to impersonate other users, interfere with collaboration content, and potentially spread misinformation or disrupt communication. The weakness is classified as a lack of proper access control (CWE-862).

Mattermost servers running versions 10.11.x (up to 10.11.9), 11.1.x (up to 11.1.2), and 11.2.x (up to 11.2.1) as well as the Mattermost Zoom plugin version 1.11.0 or earlier are affected. Upgrading the core Mattermost server to 11.3.0, 11.1.3, 10.11.10, or 11.2.2 and later, or upgrading the Zoom plugin to 1.12.0 and later, fixes the issue.

The CVSS score of 4.3 indicates a low overall severity, and the EPSS score of less than 1% suggests a very low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Attackers would need the ability to send API requests to the affected endpoint, which is typically restricted to authenticated users with API access. However, because the plugin fails to enforce ownership checks, a malicious user with API credentials can target any user ID, making the risk more pronounced in environments where API keys are widely available. The most likely attack vector involves manually crafting HTTP requests to the /api/v1/askPMI endpoint, specifying arbitrary user identifiers and post payloads.