Moderate severityNVD Advisory· Published Feb 16, 2026· Updated Feb 17, 2026
Mattermost Zoom Plugin channel preference API lacks authorization checks
CVE-2026-0997
Description
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 and Mattermost Plugin Zoom versions <=1.11.0 fail to validate the authenticated user when processing {{/plugins/zoom/api/v1/channel-preference}}, which allows any logged-in user to change Zoom meeting restrictions for arbitrary channels via crafted API requests.. Mattermost Advisory ID: MMSA-2025-00558
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost-plugin-zoomGo | < 1.11.0 | 1.11.0 |
Affected products
1- Range: 11.1.0
Patches
1a8b58c43625aFix issue of updation of all post through API call (#434)
1 file changed · +24 −0
server/http.go+24 −0 modified@@ -121,6 +121,28 @@ func (p *Plugin) submitFormPMIForMeeting(w http.ResponseWriter, r *http.Request) channelID := postActionIntegrationRequest.Context[channelIDForContext].(string) rootID := postActionIntegrationRequest.Context[rootIDForContext].(string) + userIDFromHeader := r.Header.Get("Mattermost-User-Id") + if userIDFromHeader != userID { + p.API.LogWarn("User ID mismatch", "header_user_id", userIDFromHeader, "context_user_id", userID) + http.Error(w, "user ID mismatch", http.StatusBadRequest) + return + } + + if action != usePersonalMeetingID && action != useAUniqueMeetingID { + p.API.LogWarn("Invalid meeting action", "action", action) + http.Error(w, "invalid meeting action", http.StatusBadRequest) + return + } + + // Attempt to get ephemeral post should return an error. + // Validate bot ownership if not an ephemeral post. + oldPost, appErr := p.client.Post.GetPost(rootID) + if appErr == nil && oldPost.UserId != p.botUserID { + p.API.LogWarn("Post not created by bot", "post_id", rootID, "user_id", oldPost.UserId) + http.Error(w, "cannot update post created by non-bot user", http.StatusForbidden) + return + } + slackAttachment := model.SlackAttachment{ Text: fmt.Sprintf("You have selected `%s` to start the meeting.", action), } @@ -141,6 +163,7 @@ func (p *Plugin) submitFormPMIForMeeting(w http.ResponseWriter, r *http.Request) if err := p.storeUserPreference(userID, val); err != nil { p.API.LogWarn("failed to update preferences for the user", "Error", err.Error()) + http.Error(w, "failed to update preferences for the user", http.StatusInternalServerError) return } @@ -160,6 +183,7 @@ func (p *Plugin) submitFormPMIForMeeting(w http.ResponseWriter, r *http.Request) p.API.UpdateEphemeralPost(userID, post) w.Header().Set("Content-Type", "application/json") + w.WriteHeader(http.StatusOK) if err := json.NewEncoder(w).Encode(post); err != nil { p.API.LogError("failed to write response", "Error", err.Error()) }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-2phx-frhf-xr55ghsaADVISORY
- mattermost.com/security-updatesghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-0997ghsaADVISORY
- github.com/mattermost/mattermost-plugin-zoom/commit/a8b58c43625ab25746e451acc4f71515d52c8122ghsaWEB
News mentions
0No linked articles in our index yet.