Platform
mattermost
Component
legal-hold
Fixed in
1.1.5
CVE-2026-3524 is an authorization bypass vulnerability discovered in the Mattermost Legal Hold Plugin. This flaw allows authenticated attackers to manipulate sensitive legal hold data, potentially leading to data breaches and compliance violations. The vulnerability affects versions 0.0.0 through 1.1.5 of the plugin, and a fix is available in version 1.1.5.
The core issue lies in the plugin's failure to properly halt request processing after an authorization check fails. This means that even if a user is not authorized to perform a specific action, the plugin may still proceed with the request, granting unauthorized access. An attacker could leverage this to create, access, download, and delete legal hold data, potentially compromising sensitive information subject to legal preservation requirements. The blast radius extends to any organization using the Legal Hold Plugin for compliance purposes, as unauthorized data manipulation could lead to legal and regulatory repercussions. This vulnerability highlights the importance of robust authorization checks in plugin development, particularly when dealing with sensitive data.
CVE-2026-3524 was publicly disclosed on April 6, 2026. Its severity is rated HIGH (CVSS 8.3). There are currently no known public proof-of-concept exploits, but the vulnerability's nature suggests it could be easily exploited once a PoC is developed. It is not currently listed on CISA KEV. Monitor Mattermost's security advisories and security mailing lists for updates.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the Mattermost Legal Hold Plugin to version 1.1.5 or later. If upgrading is not immediately feasible due to compatibility concerns or testing requirements, consider implementing temporary workarounds. While a direct WAF rule is difficult without specific endpoint knowledge, restricting access to the plugin's API endpoints based on user roles and permissions can provide a layer of defense. Review Mattermost's audit logs for any suspicious activity related to the Legal Hold Plugin. After upgrading, confirm the fix by attempting to access legal hold data without proper authorization; the request should be denied.
Update the Legal Hold plugin to version 1.1.5 or higher to mitigate the authorization bypass vulnerability. This update corrects the inadequate permission check, preventing unauthorized access to legal hold data.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-3524 is a HIGH severity vulnerability allowing authenticated attackers to access and manipulate legal hold data due to a failed authorization check in the Mattermost Legal Hold Plugin.
You are affected if you are using Mattermost Legal Hold Plugin versions 0.0.0 through 1.1.5. Upgrade to 1.1.5 to mitigate the risk.
Upgrade the Mattermost Legal Hold Plugin to version 1.1.5 or later. Consider temporary workarounds like restricting access to plugin API endpoints if immediate upgrade is not possible.
There are currently no known public exploits, but the vulnerability's nature suggests it could be easily exploited once a PoC is developed. Monitor security advisories.
Refer to the official Mattermost advisory: MMSA-2026-00621.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.