CVE-2026-2299

Summary

The Mattermost Google Drive plugin before version 1.1.0 fails to validate channel membership in the file creation endpoint, allowing authenticated users with a connected Google account to share Google Drive files to unauthorized private channels and disclose private channel membership.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost Google Drive Plugin0 <= 1.0.0affected
MattermostMattermost Google Drive Plugin1.1.0unaffected

Weaknesses

  • CWE-862: CWE-862: Missing Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References