Authorization Bypass in Mattermost Legal Hold Plugin Due to Missing Return After Permission Check

Description

Mattermost Plugin Legal Hold versions <=1.1.4 fail to halt request processing after a failed authorization check in ServeHTTP which allows an authenticated attacker to access, create, download, and delete legal hold data via crafted API requests to the plugin's endpoints. Mattermost Advisory ID: MMSA-2026-00621

Affected Products

Vendor	Product	Versions
mattermost	mattermost	0

References

https://mattermost.com/security-updates(vendor-advisory)

Related News (1 articles)

Tier C

VulDB6h ago

CVE-2026-3524 | Mattermost Legal Hold Plugin up to 1.1.4 API authorization

→ No new info (linked only)

CVSS 3.18.3 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

1.1.5

CWECWE-862

PublishedApr 6, 2026

Last enriched5h agov2

Trending Score53

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

Version History

Last enriched 5h ago

v2Tier C5h ago

Updated severity to CRITICAL, marked as actively exploited, and noted that no exploit is available.

severityactivelyExploited

via VulDB

v16h ago

Initial creation

Authorization Bypass in Mattermost Legal Hold Plugin Due to Missing Return After Permission Check

Description

Affected Products

References

Related News (1 articles)

Community Vote

Related CVEs (5)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History