CVE-2026-6957 Path traversal in Mattermost Legal Hold plugin via unsanitized file name from federated peer allows arbitrary file write.

Mattermost Plugins versions =1.1.5 fail to sanitize filenames received from federated peers before using them to construct export destination paths, which allows an administrator of a remote federated Mattermost server to write files to arbitrary locations within the target server's filestore via...

Insertion of Sensitive Information into Log File

Overview github.com/mattermost/mattermost-plugin-calls/server is a package that enables voice calling and screen sharing functionality in Mattermost channels Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File via the plugin configuration process. ...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the group subscription process. An attacker can gain unauthorized access to groups that were not intended to be accessible by creating groups with prefixes matching those of whitelisted groups. Remediation A...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the API-level authorization process. An attacker can create issues or attach comments to a locked group by sending direct API requests as a member of multiple groups. Remediation Upgrade...

CVE-2026-3117

Mattermost plugins contain a permission-check flaw in the GitLab plugin command processing. Versions affected: Mattermost Plugins

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the /lifecycle webhook endpoint. An attacker can exhaust system memory and disrupt service availability by sending an oversized JSON payload. Remediation Upgrade...

GHSA-5RFV-H47G-XJ42 Mattermost MS Teams plugin doesn't limit the request body size on the /changes webhook endpoint

Mattermost Plugins versions =2.1.3.0 fail to limit the request body size on the /changes webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00611...

Mattermost MS Teams plugin doesn't limit the request body size on the /lifecycle webhook endpoint

Mattermost Plugins versions =2.3.1 fail to limit the request body size on the /lifecycle webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00610...

CVE-2026-21388 Unbounded Request Body Read in MS Teams Plugin {{/lifecycle}} Webhook Endpoint

Mattermost Plugins versions =2.3.1 fail to limit the request body size on the /lifecycle webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00610...

CVE-2026-3524

Mattermost Plugin Legal Hold versions =1.1.4 fail to halt request processing after a failed authorization check in ServeHTTP which allows an authenticated attacker to access, create, download, and delete legal hold data via crafted API requests to the plugin's endpoints. Mattermost Advisory ID:...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization due to a missing return statement after a permission check in the ServeHTTP function. An attacker can gain unauthorized access to, create, download, and delete sensitive legal hold data by sending crafted API...

CVE-2026-3524 Authorization Bypass in Mattermost Legal Hold Plugin Due to Missing Return After Permission Check

Mattermost Plugin Legal Hold versions =1.1.4 fail to halt request processing after a failed authorization check in ServeHTTP which allows an authenticated attacker to access, create, download, and delete legal hold data via crafted API requests to the plugin's endpoints. Mattermost Advisory ID:...

Server-side Request Forgery (SSRF)

Overview @openclaw/mattermost is an OpenClaw Mattermost channel plugin Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetch process in multiple channel extensions when outbound requests are made to configured base URLs without proper validation. An...

Incorrect Authorization

Overview @openclaw/mattermost is an OpenClaw Mattermost channel plugin Affected versions of this package are vulnerable to Incorrect Authorization in the auth process. An attacker can gain unauthorized access by sending requests with add-on principals that are not bound to the intended deployment...

Incorrect Authorization

Overview @openclaw/mattermost is an OpenClaw Mattermost channel plugin Affected versions of this package are vulnerable to Incorrect Authorization via the callback process. An attacker can execute unauthorized actions by sending specially crafted requests before sender authorization checks are...

CVE-2026-3109 Missing timestamp validation in Zoom webhook handler

Mattermost Plugins versions =11.4 10.11.11.0 fail to validate webhook request timestamps which allows an attacker to corrupt Zoom meeting state in Mattermost via replayed webhook requests. Mattermost Advisory ID: MMSA-2026-00584...

CVE-2026-3109

Mattermost Plugins in versions

GO-2026-4812 Mattermost fails to verify run_create permission for empty playbookId in github.com/mattermost/mattermost-plugin-playbooks

Mattermost fails to verify runcreate permission for empty playbookId in github.com/mattermost/mattermost-plugin-playbooks...

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the comment block modification process. An attacker can alter comments created by other users by leveraging editor permissions without proper authorization checks. Remediation Upgrade...

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the comment block modification process. An attacker can alter comments created by other users by leveraging editor permissions without proper authorization checks. Remediation Upgrade...