Plattform
mattermost
Komponente
legal-hold
Behoben in
1.1.5
CVE-2026-3524 is an authorization bypass vulnerability discovered in the Mattermost Legal Hold Plugin. This flaw allows authenticated attackers to manipulate sensitive legal hold data, potentially leading to data breaches and compliance violations. The vulnerability affects versions 0.0.0 through 1.1.5 of the plugin, and a fix is available in version 1.1.5.
CVE-2026-3524 in Mattermost's Legal Hold plugin (versions <=1.1.4) allows an authenticated attacker to access, create, download, and delete legal hold data via crafted API requests to the plugin’s endpoints. This is due to a failure to halt request processing after a failed authorization check in ServeHTTP. An attacker with authenticated access to the Mattermost system could exploit this vulnerability to compromise the confidentiality, integrity, and availability of legal hold data, potentially leading to significant regulatory compliance and information security consequences. The vulnerability's severity is rated as 8.3 on the CVSS scale, indicating a high risk.
An authenticated attacker within Mattermost, with minimal privileges, could exploit this vulnerability. The attacker would need to construct specific API requests to interact with the Legal Hold plugin’s endpoints. The lack of proper authorization validation allows the attacker to bypass access controls and manipulate legal hold data. Exploitation is relatively straightforward once the attacker has obtained authenticated access to the system. The nature of the vulnerability implies that sensitive legal hold data could be compromised without immediate detection.
Organizations utilizing Mattermost for compliance and legal hold purposes are at significant risk. This includes legal teams, compliance officers, and IT administrators responsible for data governance. Specifically, deployments relying heavily on the Legal Hold Plugin for eDiscovery or regulatory compliance are particularly vulnerable.
• mattermost / plugin:
# Check plugin version
/opt/mattermost/plugins/legal_hold/plugin.json | grep version• mattermost / audit logs:
# Search for unauthorized access attempts to Legal Hold endpoints
grep 'legal_hold' /var/log/mattermost/audit.log• generic web:
# Check for exposed Legal Hold API endpoints
curl -I https://mattermost.example.com/plugins/legal_hold/api/v1/legal_holdsdisclosure
Exploit-Status
EPSS
0.02% (4% Perzentil)
CISA SSVC
CVSS-Vektor
The solution to mitigate this risk is to upgrade the Legal Hold plugin to version 1.1.5 or higher. This version includes a fix that halts request processing after a failed authorization check, eliminating the possibility of unauthorized access to legal hold data. It is strongly recommended to apply this update as soon as possible to protect your Mattermost instance and associated data. Additionally, review user permissions and access policies to ensure only authorized users have access to legal hold data. Monitor Mattermost logs for suspicious activity.
Actualice el plugin Legal Hold a la versión 1.1.5 o superior para mitigar la vulnerabilidad de bypass de autorización. Esta actualización corrige la falta de verificación de permisos adecuada, previniendo el acceso no autorizado a los datos de retención legal.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-3524 is a HIGH severity vulnerability allowing authenticated attackers to access and manipulate legal hold data due to a failed authorization check in the Mattermost Legal Hold Plugin.
You are affected if you are using Mattermost Legal Hold Plugin versions 0.0.0 through 1.1.5. Upgrade to 1.1.5 to mitigate the risk.
Upgrade the Mattermost Legal Hold Plugin to version 1.1.5 or later. Consider temporary workarounds like restricting access to plugin API endpoints if immediate upgrade is not possible.
There are currently no known public exploits, but the vulnerability's nature suggests it could be easily exploited once a PoC is developed. Monitor security advisories.
Refer to the official Mattermost advisory: MMSA-2026-00621.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.