CVE-2026-3109
Received Received - Intake
Timestamp Validation Bypass in Mattermost Plugins Enables Zoom State Corruption

Publication date: 2026-03-26

Last updated on: 2026-03-26

Assigner: Mattermost, Inc.

Description
Mattermost Plugins versions <=11.4 10.11.11.0 fail to validate webhook request timestamps which allows an attacker to corrupt Zoom meeting state in Mattermost via replayed webhook requests. Mattermost Advisory ID: MMSA-2026-00584
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-03-26
Generated
2026-05-07
AI Q&A
2026-03-26
EPSS Evaluated
2026-05-05
NVD
CVE-2026-3109
EUVD
EUVD-2026-16236
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mattermost plugins to 11.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-754 The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Mattermost Plugins versions up to 11.4 10.11.11.0, where the plugins fail to validate webhook request timestamps. This flaw allows an attacker to replay webhook requests, which can corrupt the Zoom meeting state within Mattermost.


How can this vulnerability impact me? :

The impact of this vulnerability is limited to the potential corruption of Zoom meeting state in Mattermost. Because the vulnerability allows replayed webhook requests, it could disrupt meeting information or cause inconsistencies in meeting management. The CVSS score indicates a low severity with no impact on confidentiality or integrity, but a low impact on availability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart