{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/mattermost/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-3524"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["mattermost","authentication-bypass","legal-hold"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Mattermost Legal Hold plugin, in versions 1.1.4 and earlier, contains an authentication bypass vulnerability (CVE-2026-3524) that can be exploited by authenticated attackers. The vulnerability lies in the ServeHTTP function, where a failed authorization check does not properly halt request processing. This flaw allows attackers to craft malicious API requests to the plugin\u0026rsquo;s endpoints, enabling them to access, create, download, and delete legal hold data without proper authorization. The vulnerability is identified by Mattermost Advisory ID MMSA-2026-00621 and poses a significant risk to organizations using the affected plugin versions, potentially leading to data breaches and compliance violations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the Mattermost server with valid user credentials.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious API request targeting the Legal Hold plugin\u0026rsquo;s endpoints.\u003c/li\u003e\n\u003cli\u003eThe request is sent to the Mattermost server.\u003c/li\u003e\n\u003cli\u003eThe ServeHTTP function in the Legal Hold plugin processes the request.\u003c/li\u003e\n\u003cli\u003eAuthorization check fails due to insufficient privileges or incorrect parameters.\u003c/li\u003e\n\u003cli\u003eInstead of halting request processing, the plugin continues to execute the request.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to legal hold data or performs unauthorized actions (create, download, delete).\u003c/li\u003e\n\u003cli\u003eThe attacker successfully exfiltrates or manipulates sensitive legal hold information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-3524) allows authenticated attackers to bypass authorization controls within the Mattermost Legal Hold plugin. This can result in unauthorized access, creation, modification, or deletion of sensitive legal hold data. The vulnerability affects versions 1.1.4 and earlier of the plugin. Organizations using the affected versions are at risk of data breaches, compliance violations, and reputational damage. A CVSS v3.1 score of 8.8 indicates a high level of severity due to the potential for significant data compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Mattermost Legal Hold plugin to a version later than 1.1.4 to remediate CVE-2026-3524.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to detect exploitation attempts targeting the vulnerable Legal Hold plugin endpoints (see rules section).\u003c/li\u003e\n\u003cli\u003eMonitor Mattermost server logs for unusual API requests to the Legal Hold plugin, specifically those resulting in unexpected data access or modification, as a potential sign of exploitation (webserver log source).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T13:17:18Z","date_published":"2026-04-06T13:17:18Z","id":"/briefs/2026-04-mattermost-legal-hold-auth-bypass/","summary":"Mattermost Legal Hold plugin versions 1.1.4 and earlier allow authenticated attackers to bypass authorization checks, enabling unauthorized access and modification of legal hold data via crafted API requests.","title":"Mattermost Legal Hold Plugin Authentication Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-mattermost-legal-hold-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-3108","mattermost","terminal-injection"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-3108 affects Mattermost servers using the \u003ccode\u003emmctl\u003c/code\u003e command-line tool. This vulnerability, disclosed in March 2026, stems from a failure to properly sanitize user-controlled post content within the terminal output of \u003ccode\u003emmctl\u003c/code\u003e commands. Specifically, versions 11.2.x up to 11.2.2, 10.11.x up to 10.11.10, 11.4.x up to 11.4.0, and 11.3.x up to 11.3.1 are susceptible. An attacker leveraging this flaw can inject ANSI and OSC escape sequences into administrator terminals. These sequences enable…\u003c/p\u003e\n","date_modified":"2026-03-26T17:16:41Z","date_published":"2026-03-26T17:16:41Z","id":"/briefs/2026-03-mattermost-terminal-injection/","summary":"Mattermost versions 11.2.x \u003c= 11.2.2, 10.11.x \u003c= 10.11.10, 11.4.x \u003c= 11.4.0, 11.3.x \u003c= 11.3.1 are vulnerable to terminal injection, allowing attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences.","title":"Mattermost mmctl Terminal Injection Vulnerability (CVE-2026-3108)","url":"https://feed.craftedsignal.io/briefs/2026-03-mattermost-terminal-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Mattermost","version":"https://jsonfeed.org/version/1.1"}