CVE-2026-0998 Overview
CVE-2026-0998 is an authorization bypass vulnerability affecting Mattermost Server and the Mattermost Zoom Plugin. The vulnerability exists in the /api/v1/askPMI endpoint, which fails to properly validate user identity and post ownership. This flaw allows authenticated attackers to start Zoom meetings impersonating any user and overwrite arbitrary posts through direct API calls with manipulated user IDs and post data.
Critical Impact
Unauthorized users can impersonate other users to initiate Zoom meetings and modify arbitrary posts, potentially leading to social engineering attacks, meeting hijacking, and content manipulation within team collaboration channels.
Affected Products
- Mattermost Server versions 11.1.x <= 11.1.2
- Mattermost Server versions 10.11.x <= 10.11.9
- Mattermost Server versions 11.2.x <= 11.2.1
- Mattermost Plugin Zoom versions <= 1.11.0
Discovery Timeline
- 2026-02-16 - CVE-2026-0998 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-0998
Vulnerability Analysis
This vulnerability is classified under CWE-862 (Missing Authorization), indicating a fundamental failure to implement proper access control checks. The /api/v1/askPMI endpoint in the Mattermost Zoom Plugin does not adequately verify that the requesting user has permission to perform actions on behalf of other users or modify posts they do not own.
The attack can be executed over the network by any authenticated user with low-privilege access. While the integrity impact is limited to unauthorized meeting initiation and post modification, the absence of proper authorization checks creates opportunities for targeted attacks against specific users or channels within an organization's Mattermost deployment.
Root Cause
The root cause is a missing authorization check (CWE-862) in the /api/v1/askPMI endpoint handler. The endpoint accepts user ID and post ID parameters without verifying that the authenticated user matches the specified user ID or owns the specified post. This allows any authenticated user to supply arbitrary identifiers and perform actions as if they were another user.
Attack Vector
The vulnerability is exploitable via network-based API requests. An attacker with valid Mattermost credentials can craft API calls to the vulnerable endpoint, specifying a target user's ID to initiate Zoom meetings under their identity. Additionally, the attacker can manipulate post data by providing arbitrary post IDs, enabling them to overwrite content in channels they may not have direct write access to.
The attack requires authentication (low privilege level) but no user interaction, making it straightforward to exploit once valid credentials are obtained. The primary impact is to data integrity through unauthorized meeting invitations and post content manipulation.
Detection Methods for CVE-2026-0998
Indicators of Compromise
- Unexpected Zoom meeting invitations appearing to originate from users who did not initiate them
- Modified or overwritten posts in channels, particularly with content the original author did not write
- API logs showing /api/v1/askPMI requests where the authenticated user differs from the target user ID in the request payload
- Unusual patterns of meeting creation activity associated with specific user accounts
Detection Strategies
- Monitor Mattermost server logs for API calls to /api/v1/askPMI with mismatched authenticated user and target user parameters
- Implement alerting on post modification events where the modifying user does not match the original post author
- Review Zoom meeting creation logs for meetings initiated via Mattermost integration with suspicious timing or frequency patterns
- Correlate Mattermost API activity with user login sessions to identify requests made with manipulated parameters
Monitoring Recommendations
- Enable detailed API access logging on Mattermost Server to capture full request payloads
- Configure security information and event management (SIEM) rules to flag authorization anomalies in Zoom plugin activity
- Establish baseline meeting creation patterns per user to detect anomalous impersonation attempts
- Implement real-time alerting for post modifications in sensitive or restricted channels
How to Mitigate CVE-2026-0998
Immediate Actions Required
- Update Mattermost Server to a patched version beyond the affected version ranges (11.1.2, 10.11.9, 11.2.1)
- Update the Mattermost Zoom Plugin to a version newer than 1.11.0
- Audit recent Zoom meeting initiations and post modifications for signs of exploitation
- Review access logs for the /api/v1/askPMI endpoint to identify any suspicious activity prior to patching
Patch Information
Mattermost has released security updates addressing this vulnerability. Organizations should consult the Mattermost Security Updates page for the latest patched versions and upgrade instructions. The advisory reference for this vulnerability is MMSA-2025-00534.
Workarounds
- If immediate patching is not possible, consider temporarily disabling the Zoom plugin until the update can be applied
- Implement network-level access controls to restrict API access to the Mattermost server from trusted networks only
- Use web application firewall (WAF) rules to inspect and filter requests to the /api/v1/askPMI endpoint for parameter manipulation
- Enable additional authentication requirements for Zoom meeting initiation through organizational Zoom security policies
# Disable Zoom plugin temporarily via Mattermost CLI
mmctl plugin disable zoom
# Verify plugin is disabled
mmctl plugin list
# After updating, re-enable the patched plugin
mmctl plugin enable zoom
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
