CVE-2026-2299
MediumCVSS 4.2Exploitation Probability (EPSS)
Low risk2th percentile — higher than 2% of all known CVEs
Summary
The Mattermost Google Drive plugin before version 1.1.0 fails to validate channel membership in the file creation endpoint, allowing authenticated users with a connected Google account to share Google Drive files to unauthorized private channels and disclose private channel membership.
Risk Assessment
The risk involves unauthorized disclosure of sensitive files and information about private channel membership, potentially compromising organizational data confidentiality.
Recommendation
It is recommended to immediately update the Google Drive plugin to version 1.1.0 or later, which includes the channel membership validation fix.
Original NVD description (English source)
The Mattermost Google Drive plugin before version 1.1.0 fails to validate channel membership in the file creation endpoint, allowing authenticated users with a connected Google account to share Google Drive files to unauthorized private channels and disclose private channel membership.

