Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 and Mattermost Plugin Zoom versions <=1.11.0 fail to validate user identity and post ownership in the {{/api/v1/askPMI}} endp

Description

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 and Mattermost Plugin Zoom versions <=1.11.0 fail to validate user identity and post ownership in the {{/api/v1/askPMI}} endpoint which allows unauthorized users to start Zoom meetings as any user and overwrite arbitrary posts via direct API calls with manipulated user IDs and post data.. Mattermost Advisory ID: MMSA-2025-00534

Affected Products

Vendor	Product	Versions
mattermost	mattermost_server	< 10.11.10, < 11.1.3, < 11.2.2, <= 1.11.0

References

https://mattermost.com/security-updates(Vendor Advisory)

CVSS 3.14.3 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA KEV❌ No

Actively exploited❌ No

Patch available

10.11.1011.1.311.2.2

CWECWE-862

PublishedFeb 16, 2026

Last enriched5d ago

Trending Score0

Source articles0

Independent0

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 and Mattermost Plugin Zoom versions <=1.11.0 fail to validate user identity and post ownership in the {{/api/v1/askPMI}} endp

Description

Affected Products

References

Community Vote

Related CVEs (5)

Pin to Dashboard

Verification

Vulnerability Timeline