CVE-2026-3109

| EUVD-2026-16236 LOW
2026-03-26 Mattermost
2.2
CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Mar 26, 2026 - 16:45 vuln.today
EUVD ID Assigned
Mar 26, 2026 - 16:45 euvd
EUVD-2026-16236
CVE Published
Mar 26, 2026 - 16:28 nvd
LOW 2.2

Tags

Information Disclosure

Description

Mattermost Plugins versions <=11.4 10.11.11.0 fail to validate webhook request timestamps which allows an attacker to corrupt Zoom meeting state in Mattermost via replayed webhook requests. Mattermost Advisory ID: MMSA-2026-00584

Analysis

Mattermost Plugins versions 11.4 and earlier, including 10.11.11.0, fail to validate webhook request timestamps, enabling attackers with high privileges to replay webhook requests and corrupt Zoom meeting state within Mattermost deployments. The vulnerability carries a CVSS score of 2.2 with low attack complexity but requires high-privilege authentication; no public exploit has been identified at time of analysis, and CISA has not flagged this for active exploitation.

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

During next maintenance window: Apply vendor patches when convenient. Monitor vendor channels for updates.

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

11
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +11
POC: 0

Share

CVE-2026-3109 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy