Description
Mattermost Plugin Legal Hold versions <=1.1.4 fail to halt request processing after a failed authorization check in ServeHTTP which allows an authenticated attacker to access, create, download, and delete legal hold data via crafted API requests to the plugin's endpoints. Mattermost Advisory ID: MMSA-2026-00621
Published: 2026-04-06
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Authorization bypass allowing unauthorized access to legal hold data
Action: Patch Now
AI Analysis

Impact

The Mattermost Legal Hold plugin suffers from a missing return statement after a failed authorization check in its ServeHTTP method. This flaw results in an authorization bypass that lets any authenticated user invoke the plugin’s API endpoints, enabling them to read, create, download, or delete legal hold records. The weakness corresponds to CWE‑862, which denotes improper authorization, and can compromise confidentiality and evidence integrity.

Affected Systems

Any Mattermost deployment with the Legal Hold plugin version 1.1.4 or older is affected. The core Mattermost server is not directly vulnerable; the issue resides exclusively in the plugin. Administrators should verify plugin versions and upgrade promptly.

Risk and Exploitability

The CVSS score of 8.3 indicates high severity. EPSS data is not available and the attack requires prior authentication to the Mattermost instance, so exploitation would typically come from an internal user or a compromised account. The vulnerability is not listed in CISA’s KEV catalog, suggesting no known public exploitation yet, but the potential impact warrants immediate remediation.

Generated by OpenCVE AI on April 6, 2026 at 15:50 UTC.

Remediation

Vendor Solution

Update Mattermost Plugins to versions 1.1.5 or higher.

OpenCVE Recommended Actions

  • Upgrade the Mattermost Legal Hold plugin to version 1.1.5 or newer.

Generated by OpenCVE AI on April 6, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Mon, 06 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 06 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
Description Mattermost Plugin Legal Hold versions <=1.1.4 fail to halt request processing after a failed authorization check in ServeHTTP which allows an authenticated attacker to access, create, download, and delete legal hold data via crafted API requests to the plugin's endpoints. Mattermost Advisory ID: MMSA-2026-00621
Title Authorization Bypass in Mattermost Legal Hold Plugin Due to Missing Return After Permission Check
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-04-07T03:55:35.396Z

Reserved: 2026-03-04T16:15:21.152Z

Link: CVE-2026-3524

cve-icon Vulnrichment

Updated: 2026-04-06T13:52:23.480Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-06T13:17:18.417

Modified: 2026-04-07T13:20:35.010

Link: CVE-2026-3524

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:32:49Z

Weaknesses