How serious is CVE-2026-0997?

This vulnerability has a CVSS score of 4.3 out of 10, classified as MEDIUM severity. No public exploit code has been identified yet.

Which products are affected by CVE-2026-0997?

CVE-2026-0997 affects mattermost mattermost server. Check the full CVE details for specific version information.

How do I fix CVE-2026-0997?

To remediate CVE-2026-0997, check for security patches from mattermost. Apply all available updates and security patches. If no patch is available, implement recommended workarounds or security controls to mitigate the risk.

CVE-2026-0997

Medium

|4.3

No Exploit

Plain English Summary

AI-powered analysis for quick understanding

This vulnerability allows any logged-in user to change Zoom meeting settings for any channel in Mattermost by sending specially crafted requests. It affects specific versions of Mattermost and the Zoom plugin, meaning that if you're using those versions, an attacker could exploit this flaw without needing special access.

Technical Description

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 and Mattermost Plugin Zoom versions <=1.11.0 fail to validate the authenticated user when processing {{/plugins/zoom/api/v1/channel-preference}}, which allows any logged-in user to change Zoom meeting restrictions for arbitrary channels via crafted API requests.. Mattermost Advisory ID: MMSA-2025-00558

CVSS Vector Analysis

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredLow

User InteractionNone

Confidentiality ImpactNone

Integrity ImpactLow

Availability ImpactNone

ScopeUnchanged

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Exploit Resources

Search for proof-of-concept code and exploit modules

GitHub Search Exploit-DB Nuclei Templates Metasploit Vulners

Official References

NIST NVD

Est. Bounty

$552($500-$1K)

Vendor Response

Grade APatched in 2 days

Quick Information

Published

Feb 16, 2026

about 2 months ago

Last Modified

Feb 18, 2026

about 2 months ago

Vendor

mattermost

Product

mattermost server

Related Vulnerabilities

CVE-2026-1628Medium

This vulnerability allows an attacker to trick users into opening malicious links within the Mattermost desktop app, potentially exposing sensitive information or enabling harmful actions on untrusted servers. It affects versions up to 5.13.3 and requires the user to click on an external link while using the app.

CVE-2025-14573Low

This vulnerability allows team administrators to improperly add users to their team through API requests, even if they don't have the necessary permissions. It affects specific versions of Mattermost and requires the attacker to have administrative access to the team settings.

CVE-2025-14350Medium

This vulnerability allows an attacker who is already logged into Mattermost to find out the names and URLs of teams they shouldn't have access to by posting links in channels and checking the system's responses. It affects specific versions of Mattermost and highlights a failure to properly check if a user is part of a team before revealing its information.

CVE-2025-13821Medium

This vulnerability allows an attacker to steal sensitive information, like password hashes and multi-factor authentication secrets, from other users by manipulating their profile nickname or during email verification events. The attacker must already be logged in as an authenticated user on the affected versions of Mattermost to exploit this weakness.

CVE-2026-0999Medium

This vulnerability allows an attacker who is already logged in to bypass single sign-on (SSO) requirements and use a userID-based login instead. It affects specific versions of Mattermost, meaning only users on those versions are at risk.