VDB

CVE-2026-0998

CVE-2026-0998 PUBLISHED CVSS 4.300000190734863 MEDIUM

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 and Mattermost Plugin Zoom versions <=1.11.0 fail to validate user identity and post ownership in the {{/api/v1/askPMI}} endpoint which allows unauthorized users to start Zoom meetings as any user and overwrite arbitrary posts via direct API calls with manipulated user IDs and post data.. Mattermost Advisory ID: MMSA-2025-00534

EPSS 0.04% · 13.0th percentile

Risk Scores

CVSS 3.1
4.300000190734863
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
EPSS Score
0.04%
13.0th percentile

Affected Products

VendorProductVersions
MattermostMattermost11.2.0, 11.2.2, 10.11.10
github.commattermost/mattermost-plugin-zoom0, 0
mattermostmattermost_server10.11.0, 11.1.0, 11.2.0
mattermostzoom0, 0

Timeline

  • Feb 16, 2026 CVE Published
  • Feb 16, 2026 EPSS Score
  • Feb 18, 2026 EPSS Score
  • Feb 19, 2026 CVE Updated
  • Feb 20, 2026 EPSS Score
  • Feb 21, 2026 EPSS Score
  • Feb 23, 2026 EPSS Score
  • Feb 25, 2026 EPSS Score
  • Feb 27, 2026 EPSS Score
  • Mar 1, 2026 EPSS Score
  • Mar 3, 2026 EPSS Score
  • Mar 4, 2026 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›