PT-2026-8329 · WordPress+1 · Mattermost Plugin Zoom+1
Daw10
·
Published
2026-02-16
·
Updated
2026-03-03
·
CVE-2026-0998
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Mattermost versions 11.1.x through 11.1.2
Mattermost versions 10.11.x through 10.11.9
Mattermost versions 11.2.x through 11.2.1
Mattermost Plugin Zoom versions through 1.11.0
Description
The software does not properly validate user identity and post ownership. This allows unauthorized users to initiate Zoom meetings as any user and modify posts through direct API calls with manipulated user IDs and post data. The issue affects the
/api/v1/askPMI endpoint. The user id and post data are vulnerable parameters used in the API calls.Recommendations
Update Mattermost to a version later than 11.1.2.
Update Mattermost to a version later than 10.11.9.
Update Mattermost to a version later than 11.2.1.
Update Mattermost Plugin Zoom to a version later than 1.11.0.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mattermost
Mattermost Plugin Zoom