CVE-2026-0997

Name of the Vulnerable Software and Affected Versions Mattermost versions 11.1.x through 11.1.2 Mattermost versions 10.11.x through 10.11.9 Mattermost versions 11.2.x through 11.2.1 Mattermost Plugin Zoom versions through 1.11.0

Description The Mattermost application and its Zoom plugin do not properly verify user authorization when handling requests. Specifically, the system fails to validate the authenticated user when processing requests to the /plugins/zoom/api/v1/channel-preference API endpoint. This allows any authenticated user to modify Zoom meeting restrictions for any channel by sending specially crafted API requests. The vulnerable function is not explicitly mentioned.

Recommendations Update Mattermost to a version later than 11.1.2. Update Mattermost to a version later than 10.11.9. Update Mattermost to a version later than 11.2.1. Update the Mattermost Zoom Plugin to a version later than 1.11.0.