Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.3
Mattermost and Zoom Plugin: Unauthorized Access to Meetings and Posts
CVE-2026-0998
GHSA-w65c-fvp5-fvc5
Summary
The Mattermost and Zoom Plugin may allow unauthorized users to start Zoom meetings and modify posts in certain versions. This can be exploited through direct API calls. Mattermost and Zoom Plugin users should update to the latest version to fix this issue.
What to do
- Update github.com mattermost to version 1.12.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | mattermost | <= 1.12.0 | 1.12.0 |
| mattermost | mattermost_server | > 10.11.0 , <= 10.11.10 | – |
| mattermost | mattermost_server | > 11.1.0 , <= 11.1.3 | – |
| mattermost | mattermost_server | > 11.2.0 , <= 11.2.2 | – |
| mattermost | zoom | <= 1.11.0 | – |
Original title
Mattermost Plugin Zoom fail to validate user identity and post ownership in the {{/api/v1/askPMI}} endpoint
Original description
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 and Mattermost Plugin Zoom versions <=1.11.0 fail to validate user identity and post ownership in the {{/api/v1/askPMI}} endpoint which allows unauthorized users to start Zoom meetings as any user and overwrite arbitrary posts via direct API calls with manipulated user IDs and post data.. Mattermost Advisory ID: MMSA-2025-00534
nvd CVSS3.1
4.3
Vulnerability type
CWE-862
Missing Authorization
Published: 16 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026