CVE-2026-3524
Authorization Bypass in Mattermost Legal Hold Plugin Allows Data Access
Publication date: 2026-04-06
Last updated on: 2026-04-06
Assigner: Mattermost, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | plugin_legal_hold | to 1.1.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
Mattermost Plugin Legal Hold versions up to 1.1.4 have a vulnerability where the plugin fails to stop processing requests after an authorization check fails in the ServeHTTP function.
This flaw allows an authenticated attacker to bypass authorization controls and perform unauthorized actions such as accessing, creating, downloading, and deleting legal hold data by sending specially crafted API requests to the plugin's endpoints.
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows an authenticated attacker to gain unauthorized access and control over sensitive legal hold data.
- Access sensitive legal hold information without proper authorization.
- Create or modify legal hold data, potentially corrupting or falsifying records.
- Download confidential legal hold data, leading to data leakage.
- Delete legal hold data, which could result in loss of critical evidence or records.
Overall, this can compromise the integrity, confidentiality, and availability of legal hold data.