Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for Mattermost Google Drive Plugin by Mattermost

    CVE-2026-2299 (GCVE-0-2026-2299)

    Vulnerability from nvd – Published: 2026-06-25 18:55 – Updated: 2026-06-26 14:05
    VLAI
    Title
    Improper Access Control in Mattermost Google Drive Plugin File Creation Endpoint
    Summary
    The Mattermost Google Drive plugin before version 1.1.0 fails to validate channel membership in the file creation endpoint, allowing authenticated users with a connected Google account to share Google Drive files to unauthorized private channels and disclose private channel membership.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Google Drive Plugin Affected: 0 , ≤ 1.0.0 (semver)
    Unaffected: 1.1.0
    Create a notification for this product.
    Credits
    Lorenzo Gallegos
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-2299",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T14:04:57.007408Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T14:05:09.476Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost Google Drive Plugin",
              "repo": "https://github.com/mattermost/mattermost-plugin-google-drive",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "1.1.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Lorenzo Gallegos"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The Mattermost Google Drive plugin before version 1.1.0 fails to validate channel membership in the file creation endpoint, allowing authenticated users with a connected Google account to share Google Drive files to unauthorized private channels and disclose private channel membership."
                }
              ],
              "value": "The Mattermost Google Drive plugin before version 1.1.0 fails to validate channel membership in the file creation endpoint, allowing authenticated users with a connected Google account to share Google Drive files to unauthorized private channels and disclose private channel membership."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T18:55:11.905Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "url": "https://github.com/mattermost/mattermost-plugin-google-drive/releases/tag/v1.1.0"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate Mattermost Google Drive plugin to version 1.1.0 or higher.\u003c/p\u003e"
                }
              ],
              "value": "Update Mattermost Google Drive plugin to version 1.1.0 or higher."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Improper Access Control in Mattermost Google Drive Plugin File Creation Endpoint",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2026-2299",
        "datePublished": "2026-06-25T18:55:11.905Z",
        "dateReserved": "2026-02-10T16:46:56.322Z",
        "dateUpdated": "2026-06-26T14:05:09.476Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-2299 (GCVE-0-2026-2299)

    Vulnerability from cvelistv5 – Published: 2026-06-25 18:55 – Updated: 2026-06-26 14:05
    VLAI
    Title
    Improper Access Control in Mattermost Google Drive Plugin File Creation Endpoint
    Summary
    The Mattermost Google Drive plugin before version 1.1.0 fails to validate channel membership in the file creation endpoint, allowing authenticated users with a connected Google account to share Google Drive files to unauthorized private channels and disclose private channel membership.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Google Drive Plugin Affected: 0 , ≤ 1.0.0 (semver)
    Unaffected: 1.1.0
    Create a notification for this product.
    Credits
    Lorenzo Gallegos
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-2299",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T14:04:57.007408Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T14:05:09.476Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Mattermost Google Drive Plugin",
              "repo": "https://github.com/mattermost/mattermost-plugin-google-drive",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "1.1.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Lorenzo Gallegos"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The Mattermost Google Drive plugin before version 1.1.0 fails to validate channel membership in the file creation endpoint, allowing authenticated users with a connected Google account to share Google Drive files to unauthorized private channels and disclose private channel membership."
                }
              ],
              "value": "The Mattermost Google Drive plugin before version 1.1.0 fails to validate channel membership in the file creation endpoint, allowing authenticated users with a connected Google account to share Google Drive files to unauthorized private channels and disclose private channel membership."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T18:55:11.905Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "url": "https://github.com/mattermost/mattermost-plugin-google-drive/releases/tag/v1.1.0"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eUpdate Mattermost Google Drive plugin to version 1.1.0 or higher.\u003c/p\u003e"
                }
              ],
              "value": "Update Mattermost Google Drive plugin to version 1.1.0 or higher."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Improper Access Control in Mattermost Google Drive Plugin File Creation Endpoint",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2026-2299",
        "datePublished": "2026-06-25T18:55:11.905Z",
        "dateReserved": "2026-02-10T16:46:56.322Z",
        "dateUpdated": "2026-06-26T14:05:09.476Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }