CVE-2026-0997 in Mattermost
Summary
by MITRE • 02/16/2026
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 and Mattermost Plugin Zoom versions <=1.11.0 fail to validate the authenticated user when processing {{/plugins/zoom/api/v1/channel-preference}}, which allows any logged-in user to change Zoom meeting restrictions for arbitrary channels via crafted API requests.. Mattermost Advisory ID: MMSA-2025-00558
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/20/2026
This vulnerability exists in Mattermost server versions 11.1.x through 11.1.2, 10.11.x through 10.11.9, and 11.2.x through 11.2.1, as well as in the Mattermost Plugin Zoom versions up to 1.11.0. The flaw resides in the authentication validation mechanism for the specific API endpoint /plugins/zoom/api/v1/channel-preference which governs Zoom meeting restrictions within Mattermost channels. The vulnerability stems from insufficient access control validation that allows any authenticated user to manipulate channel-specific Zoom meeting settings regardless of their actual permissions or role within the Mattermost environment. This represents a critical authorization bypass vulnerability that directly violates the principle of least privilege and proper access control enforcement.
The technical implementation of this vulnerability exploits a missing authorization check within the Zoom plugin's API handler for channel preference management. When a logged-in user submits a crafted API request to the vulnerable endpoint, the system fails to verify whether the requesting user possesses the necessary administrative or channel-specific permissions required to modify Zoom meeting restrictions. This flaw enables privilege escalation through unauthorized API manipulation, allowing any user with valid Mattermost credentials to potentially disrupt channel communications, modify meeting settings, or restrict access to Zoom meetings within channels they should not be able to control. The vulnerability operates at the application layer and specifically targets the plugin architecture's security model, where the plugin's API endpoints do not properly enforce Mattermost's built-in permission systems.
The operational impact of this vulnerability is significant and multifaceted within enterprise collaboration environments that rely on Mattermost for team communications and Zoom for video conferencing. An attacker with access to any valid Mattermost account could potentially disable Zoom meeting functionality for critical channels, restrict access to important meetings, or manipulate channel preferences to disrupt team collaboration workflows. This vulnerability particularly affects organizations where channel-based access control is essential for maintaining security boundaries and protecting sensitive communications. The impact extends beyond simple disruption to include potential data exposure risks, as unauthorized users could modify meeting settings to include or exclude specific participants, thereby compromising the confidentiality of sensitive discussions. This vulnerability directly maps to CWE-285: Improper Authorization, which is classified as a critical weakness in software security architecture.
Organizations should immediately implement mitigations including updating to patched versions of Mattermost server and the Zoom plugin, specifically versions that address the authentication bypass vulnerability. Network segmentation and API access controls should be implemented to limit access to the vulnerable endpoint, while monitoring should be enabled to detect unauthorized API requests to the channel-preference endpoint. The recommended approach includes enforcing proper access control checks at the application layer, implementing role-based access controls for plugin APIs, and conducting thorough security reviews of all plugin endpoints to ensure proper authorization validation. This vulnerability aligns with ATT&CK technique T1078.004: Valid Accounts, where attackers leverage legitimate user credentials to exploit authorization weaknesses, and T1566.002: Phishing via Social Engineering, where attackers may gain initial access through credential compromise before exploiting this authorization bypass. Security teams should also consider implementing automated vulnerability scanning tools that can detect and alert on unauthorized access attempts to sensitive API endpoints within their Mattermost environments.