CVE-2026-0998
Received
Received - Intake
Authentication Bypass in Mattermost API Enables Unauthorized Zoom Meeting Control
Publication date: 2026-02-16
Last updated on: 2026-02-18
Assigner: Mattermost, Inc.
Description
Description
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 and Mattermost Plugin Zoom versions <=1.11.0 fail to validate user identity and post ownership in the {{/api/v1/askPMI}} endpoint which allows unauthorized users to start Zoom meetings as any user and overwrite arbitrary posts via direct API calls with manipulated user IDs and post data.. Mattermost Advisory ID: MMSA-2025-00534
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | mattermost_server | From 10.11.0 (inc) to 10.11.10 (exc) |
| mattermost | mattermost_server | From 11.2.0 (inc) to 11.2.2 (exc) |
| mattermost | mattermost_server | From 11.1.0 (inc) to 11.1.3 (exc) |
| mattermost | zoom | to 1.11.0 (inc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
