VDB
CVE-2026-0998
CVE-2026-0998
PUBLISHED
CVSS 4.300000190734863 MEDIUM
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 and Mattermost Plugin Zoom versions <=1.11.0 fail to validate user identity and post ownership in the {{/api/v1/askPMI}} endpoint which allows unauthorized users to start Zoom meetings as any user and overwrite arbitrary posts via direct API calls with manipulated user IDs and post data.. Mattermost Advisory ID: MMSA-2025-00534
EPSS 0.04% · 13.0th percentile
Risk Scores
CVSS 3.1
4.300000190734863
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
EPSS Score
0.04%
13.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mattermost | Mattermost | 11.2.0, 11.2.2, 10.11.10 |
| github.com | mattermost/mattermost-plugin-zoom | 0, 0 |
| mattermost | mattermost_server | 10.11.0, 11.1.0, 11.2.0 |
| mattermost | zoom | 0, 0 |
Timeline
- Feb 16, 2026 CVE Published
- Feb 16, 2026 EPSS Score
- Feb 18, 2026 EPSS Score
- Feb 19, 2026 CVE Updated
- Feb 20, 2026 EPSS Score
- Feb 21, 2026 EPSS Score
- Feb 23, 2026 EPSS Score
- Feb 25, 2026 EPSS Score
- Feb 27, 2026 EPSS Score
- Mar 1, 2026 EPSS Score
- Mar 3, 2026 EPSS Score
- Mar 4, 2026 EPSS Score