CVE-2026-9699
MediumCVSS 6.8Summary
The vulnerability in Mattermost Plugins versions up to 11.6, 10.18.11, 11.3.6, and 11.6.5.0 fails to sanitize error responses from the OpenAI API before logging, allowing a user with access to server logs or support packets to obtain a valid or partially reconstructable OpenAI API key via inspection of mattermost.log entries generated during authentication failures.
Risk Assessment
The risk involves potential leakage of the OpenAI API key, which could lead to unauthorized access to OpenAI services, data confidentiality breaches, and financial costs from unauthorized key usage.
Recommendation
It is recommended to immediately update Mattermost Plugins to a version newer than 11.6, 10.18.11, 11.3.6, and 11.6.5.0, rotate the OpenAI API key, and review logs for signs of leakage.
Original NVD description (English source)
Mattermost Plugins versions <=11.6 10.18.11 11.3.6 11.6.5.0 fail to sanitize error responses from the OpenAI API before logging, which allows a user with access to server logs or support packets to obtain a valid or partially reconstructable OpenAI API key via inspection of mattermost.log entries generated during authentication failures. Mattermost Advisory ID: MMSA-2026-00609

