CVE Catalog

CVE-2026-2299

MediumCVSS 4.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile — higher than 2% of all known CVEs

Summary

The Mattermost Google Drive plugin before version 1.1.0 fails to validate channel membership in the file creation endpoint, allowing authenticated users with a connected Google account to share Google Drive files to unauthorized private channels and disclose private channel membership.

Risk Assessment

The risk involves unauthorized disclosure of sensitive files and information about private channel membership, potentially compromising organizational data confidentiality.

Recommendation

It is recommended to immediately update the Google Drive plugin to version 1.1.0 or later, which includes the channel membership validation fix.

Original NVD description (English source)

The Mattermost Google Drive plugin before version 1.1.0 fails to validate channel membership in the file creation endpoint, allowing authenticated users with a connected Google account to share Google Drive files to unauthorized private channels and disclose private channel membership.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS