CVE-2026-3524: Mattermost Legal Hold Plugin Auth Bypass (HIGH)
Platform
mattermost
Component
legal-hold
Fixed in
1.1.5
CVE-2026-3524 is a security vulnerability affecting the Mattermost Legal Hold Plugin. It stems from a failure to halt request processing after an authorization check, enabling an authenticated attacker to manipulate legal hold data. This impacts versions from 0.0.0 up to and including 1.1.4. A patch is available in version 1.1.5.
How to fix
Actualice el plugin Legal Hold a la versión 1.1.5 o superior para mitigar la vulnerabilidad de bypass de autorización. Esta actualización corrige la falta de verificación de permisos adecuada, previniendo el acceso no autorizado a los datos de retención legal.
Frequently asked questions
What is CVE-2026-3524?
CVE-2026-3524 is a vulnerability in the Mattermost Legal Hold Plugin that allows authenticated attackers to bypass authorization checks and access, create, download, and delete legal hold data through crafted API requests.
Am I affected by CVE-2026-3524?
You are affected if you are using the Mattermost Legal Hold Plugin versions 0.0.0 through 1.1.4. Versions prior to 1.1.5 are vulnerable to this authorization bypass.
How do I fix CVE-2026-3524?
Upgrade the Mattermost Legal Hold Plugin to version 1.1.5 or later to resolve this vulnerability. This update includes the necessary fix for the authorization bypass.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free