Description
The Mattermost Google Drive plugin before version 1.1.0 fails to validate channel membership in the file creation endpoint, allowing authenticated users with a connected Google account to share Google Drive files to unauthorized private channels and disclose private channel membership.
Published: 2026-06-25
Score: 4.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Mattermost Google Drive plugin, in versions prior to 1.1.0, does not verify that a user belongs to a channel before allowing them to create a file share to that Because users with a Google account that is already authenticated can use the file creation endpoint, they can attach a file to a private channel they are not a member of, thereby revealing the membership and contents of the channel. The flaw is a classic missing permissions error, identified as CWE-862, and results in unauthorized data exposure and potential compromise of the privacy of private channels.

Affected Systems

Affected product is the Mattermost Google Drive Plugin. All released versions earlier than 1.1.0 are vulnerable. The vulnerability applies to installations of the plugin regardless of the Mattermost server version, as the flaw resides in the plugin itself.

Risk and Exploitability

The CVSS score of 4.2 indicates a moderate severity. EPSS is not reported, so the exploitation likelihood is unclear but the vulnerability requires authenticated access to the plugin's file creation API, meaning a known user or social engineering could trigger it. The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog, so there is no confirmed exploitation. Nevertheless, the potential for privacy leakage makes it a concern for organisations handling sensitive channel data.

Generated by OpenCVE AI on June 25, 2026 at 21:23 UTC.

Remediation

Vendor Solution

Update Mattermost Google Drive plugin to version 1.1.0 or higher.

OpenCVE Recommended Actions

  • Update the Mattermost Google Drive plugin to version 1.1.0 or later to apply the vendor's fix.
  • As a temporary safeguard, disable or limit the plugin’s file‑creation functionality for users who do not require Google Drive sharing until the update can be deployed.
  • Review and enforce proper membership checks on all plugin endpoints to ensure users cannot act on channels they are not part of.
  • Monitor plugin logs for unauthorized file‑sharing attempts to detect any exploitation as soon as possible.

Generated by OpenCVE AI on June 25, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost Google Drive Plugin
Vendors & Products Mattermost
Mattermost mattermost Google Drive Plugin

Thu, 25 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Description The Mattermost Google Drive plugin before version 1.1.0 fails to validate channel membership in the file creation endpoint, allowing authenticated users with a connected Google account to share Google Drive files to unauthorized private channels and disclose private channel membership.
Title Improper Access Control in Mattermost Google Drive Plugin File Creation Endpoint
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Mattermost Mattermost Google Drive Plugin
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-06-26T14:05:09.476Z

Reserved: 2026-02-10T16:46:56.322Z

Link: CVE-2026-2299

cve-icon Vulnrichment

Updated: 2026-06-26T14:05:02.576Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:36:28Z

Weaknesses