PT-2026-52566 · Mattermost · Mattermost Google Drive Plugin

Lorenzo Gallegos

Published

2026-06-25

Updated

2026-06-25

CVE-2026-2299

CVSS v3.1

4.2

Medium

Vector

AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

The Mattermost Google Drive plugin before version 1.1.0 fails to validate channel membership in the file creation endpoint, allowing authenticated users with a connected Google account to share Google Drive files to unauthorized private channels and disclose private channel membership.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2026-2299

Affected Products

Mattermost Google Drive Plugin

PT-2026-52566 · Mattermost · Mattermost Google Drive Plugin

CVE-2026-2299

Weakness Enumeration

Related Identifiers

Affected Products

References · 2