NEXTGUARD
UNKNOWNCVE-2026-3524

Authorization Bypass in Mattermost Legal Hold Plugin Due to Missing Return After Permission Check

Platform

mattermost

Component

legal-hold

Fixed in

1.1.5

View on NVD

Mattermost Plugin Legal Hold versions <=1.1.4 fail to halt request processing after a failed authorization check in ServeHTTP which allows an authenticated attacker to access, create, download, and delete legal hold data via crafted API requests to the plugin's endpoints. Mattermost Advisory ID: MMSA-2026-00621

How to fix

Actualice el plugin Legal Hold a la versión 1.1.5 o superior para corregir la vulnerabilidad de bypass de autorización. Esta actualización corrige un fallo que permitía a atacantes autenticados acceder, crear, descargar y eliminar datos de retención legal a través de solicitudes API manipuladas.

Monitor your dependencies automatically

Get notified when new vulnerabilities affect your projects. Free forever.

Start free
CVE-2026-3524 — Vulnerability Details | NextGuard | NextGuard