Skip to main content

Mattermost Google Drive Plugin

1 CVEs product

Monthly

CVE-2026-2299 MEDIUM This Month

Missing authorization in the Mattermost Google Drive plugin's file creation endpoint (all versions before 1.1.0) allows authenticated Mattermost users with a linked Google account to share Drive files into private channels they are not a member of, and to infer the existence and membership of those private channels. The root cause is CWE-862 (Missing Authorization): the endpoint processes the target channel ID supplied by the caller without verifying the caller belongs to that channel. No public exploit has been identified at time of analysis, and the vulnerability has not been added to the CISA KEV catalog.

Authentication Bypass Mattermost Google Mattermost Google Drive Plugin
NVD GitHub VulDB
CVSS 3.1
4.2
EPSS
0.1%
EPSS 0% CVSS 4.2
MEDIUM This Month

Missing authorization in the Mattermost Google Drive plugin's file creation endpoint (all versions before 1.1.0) allows authenticated Mattermost users with a linked Google account to share Drive files into private channels they are not a member of, and to infer the existence and membership of those private channels. The root cause is CWE-862 (Missing Authorization): the endpoint processes the target channel ID supplied by the caller without verifying the caller belongs to that channel. No public exploit has been identified at time of analysis, and the vulnerability has not been added to the CISA KEV catalog.

Authentication Bypass Mattermost Google +1
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy