Platform
mattermost
Component
legal-hold
Opgelost in
1.1.5
CVE-2026-3524 is een kwetsbaarheid in de Legal Hold Plugin voor Mattermost, waarbij een mislukte autorisatiecontrole niet correct wordt afgehandeld. Dit stelt een geauthenticeerde aanvaller in staat om ongeautoriseerd legal hold data te bekijken, aan te maken, te downloaden en te verwijderen via API-verzoeken. De kwetsbaarheid treft versies van de plugin tussen 0.0.0 en 1.1.5 inclusief. Een patch is beschikbaar in versie 1.1.5.
CVE-2026-3524 in Mattermost's Legal Hold plugin (versions <=1.1.4) allows an authenticated attacker to access, create, download, and delete legal hold data via crafted API requests to the plugin’s endpoints. This is due to a failure to halt request processing after a failed authorization check in ServeHTTP. An attacker with authenticated access to the Mattermost system could exploit this vulnerability to compromise the confidentiality, integrity, and availability of legal hold data, potentially leading to significant regulatory compliance and information security consequences. The vulnerability's severity is rated as 8.3 on the CVSS scale, indicating a high risk.
An authenticated attacker within Mattermost, with minimal privileges, could exploit this vulnerability. The attacker would need to construct specific API requests to interact with the Legal Hold plugin’s endpoints. The lack of proper authorization validation allows the attacker to bypass access controls and manipulate legal hold data. Exploitation is relatively straightforward once the attacker has obtained authenticated access to the system. The nature of the vulnerability implies that sensitive legal hold data could be compromised without immediate detection.
Organizations utilizing Mattermost for compliance and legal hold purposes are at significant risk. This includes legal teams, compliance officers, and IT administrators responsible for data governance. Specifically, deployments relying heavily on the Legal Hold Plugin for eDiscovery or regulatory compliance are particularly vulnerable.
• mattermost / plugin:
# Check plugin version
/opt/mattermost/plugins/legal_hold/plugin.json | grep version• mattermost / audit logs:
# Search for unauthorized access attempts to Legal Hold endpoints
grep 'legal_hold' /var/log/mattermost/audit.log• generic web:
# Check for exposed Legal Hold API endpoints
curl -I https://mattermost.example.com/plugins/legal_hold/api/v1/legal_holdsdisclosure
Exploit Status
EPSS
0.02% (4% percentiel)
CISA SSVC
CVSS-vector
The solution to mitigate this risk is to upgrade the Legal Hold plugin to version 1.1.5 or higher. This version includes a fix that halts request processing after a failed authorization check, eliminating the possibility of unauthorized access to legal hold data. It is strongly recommended to apply this update as soon as possible to protect your Mattermost instance and associated data. Additionally, review user permissions and access policies to ensure only authorized users have access to legal hold data. Monitor Mattermost logs for suspicious activity.
Actualice el plugin Legal Hold a la versión 1.1.5 o superior para mitigar la vulnerabilidad de bypass de autorización. Esta actualización corrige la falta de verificación de permisos adecuada, previniendo el acceso no autorizado a los datos de retención legal.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-3524 is a HIGH severity vulnerability allowing authenticated attackers to access and manipulate legal hold data due to a failed authorization check in the Mattermost Legal Hold Plugin.
You are affected if you are using Mattermost Legal Hold Plugin versions 0.0.0 through 1.1.5. Upgrade to 1.1.5 to mitigate the risk.
Upgrade the Mattermost Legal Hold Plugin to version 1.1.5 or later. Consider temporary workarounds like restricting access to plugin API endpoints if immediate upgrade is not possible.
There are currently no known public exploits, but the vulnerability's nature suggests it could be easily exploited once a PoC is developed. Monitor security advisories.
Refer to the official Mattermost advisory: MMSA-2026-00621.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.