Description
Mattermost Plugins versions <=11.6 10.18.11 11.3.6 11.6.5.0 fail to sanitize error responses from the OpenAI API before logging, which allows a user with access to server logs or support packets to obtain a valid or partially reconstructable OpenAI API key via inspection of mattermost.log entries generated during authentication failures. Mattermost Advisory ID: MMSA-2026-00609
Published: 2026-06-26
Score: 6.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mattermost plugins prior to the specified versions do not remove OpenAI API keys from error responses before logging. When an authentication failure occurs, the API key or a usable portion of it is written to mattermost.log. An attacker who can read these logs, either directly on the server or through support packet reviews, can OpenAI API key, enabling unauthorized use of the OpenAI service and potential financial or data exposure consequences. The weakness is classified as CWE-532, unsanitized logging of sensitive data.

Affected Systems

The vulnerable software is Mattermost Plugins. Versions identical or lower than 11.6, 10.18.11, 11.3.6, or 11.6.5.0. The vendor is Mattermost and the product is the Mattermost plugin set.

Risk and Exploitability

The CVSS score of 6.8 indicates a medium severity vulnerability. Exploit probability information is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires access to the server’s log files or to support packets, meaning either local or privileged compromise of the host. Once the attacker obtains the key, they can authenticate to OpenAI services without authorization, potentially incurring costs or exposing sensitive data. Protecting log files and ensuring vendors have patched the issue reduces this risk.

Generated by OpenCVE AI on June 26, 2026 at 18:38 UTC.

Remediation

Vendor Solution

Update Mattermost Plugins to versions 11.7.0, 10.11.19, 11.6.4, 11.5.7 or higher.

OpenCVE Recommended Actions

  • Upgrade Mattermost Plugins to any of the following versions: 11.7.0, 10.11.19, 11.6.4, 11.5.7, or newer.
  • Limit access to Mattermost server log files (e.g., mattermost.log) so that only trusted administrators can read them.
  • Review and scrub existing logs to remove any exposed OpenAI API keys before proceeding.

Generated by OpenCVE AI on June 26, 2026 at 18:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon
History

Fri, 26 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Mattermost Plugins versions <=11.6 10.18.11 11.3.6 11.6.5.0 fail to sanitize error responses from the OpenAI API before logging, which allows a user with access to server logs or support packets to obtain a valid or partially reconstructable OpenAI API key via inspection of mattermost.log entries generated during authentication failures. Mattermost Advisory ID: MMSA-2026-00609
Title Mattermost Agents plugin logs unsanitized OpenAI API keys on authentication errors
Weaknesses CWE-532
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-06-26T15:40:52.251Z

Reserved: 2026-05-27T12:08:53.502Z

Link: CVE-2026-9699

cve-icon Vulnrichment

Updated: 2026-06-26T15:40:48.396Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T21:00:05Z

Weaknesses
  • CWE-532

    Insertion of Sensitive Information into Log File