← Back to home
wid-sec-w-2026-0625  ·  Published 2026-03-05  ·  View on BSI CERT-Bund ↗

Mattermost-Plugin "Legal Hold": Vulnerability allows nicht spezifizierten Angriff

CVSS 8.8 HIGH

Risk Summary

Mattermost Plugin Legal Hold versions <=1.1.4 fail to halt request processing after a failed authorization check in ServeHTTP which allows an authenticated attacker to access, create, download, and delete legal hold data via crafted API requests to the plugin's endpoints. Mattermost Advisory ID: MMSA-2026-00621

CVEs (1)

Affected Vendors

Mattermost

Affected Products (2)

Mattermost · Mattermost Plugins <1.1.5.0
Mattermost · Mattermost Plugins 1.1.5.0

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more