CVE-2026-9699

Summary

Mattermost Plugins versions <=11.6 10.18.11 11.3.6 11.6.5.0 fail to sanitize error responses from the OpenAI API before logging, which allows a user with access to server logs or support packets to obtain a valid or partially reconstructable OpenAI API key via inspection of mattermost.log entries generated during authentication failures. Mattermost Advisory ID: MMSA-2026-00609

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost0 <= 10.18.11affected
MattermostMattermost0 <= 11.3.6affected
MattermostMattermost0 <= 11.6.5affected
MattermostMattermost11.7.0unaffected
MattermostMattermost10.11.19unaffected
MattermostMattermost11.6.4unaffected
MattermostMattermost11.5.7unaffected

Weaknesses

  • CWE-532: CWE-532: Insertion of Sensitive Information into Log Files

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References