Primary

Context

Mattermost and Mattermost Plugin Zoom User Identity Validation Vulnerability in the AskPMI Endpoint

Vulnerability

Patched

A vulnerability exists in Mattermost versions 11.1.x through 11.1.2, 10.11.x through 10.11.9, and 11.2.x through 11.2.1, as well as in Mattermost Plugin Zoom versions through 1.11.0. These versions fail to properly validate user identity and post ownership in the /api/v1/askPMI endpoint. This oversight allows unauthorized users to initiate Zoom meetings on behalf of any user and to overwrite posts by manipulating user IDs and post data in direct API calls.

Impact

Exploitation of this vulnerability allows unauthorized users to start Zoom meetings as any user and to overwrite arbitrary posts by manipulating user IDs and post data through the API.

Remediation

Users can upgrade to Mattermost versions 11.4.0 or 10.11.11. For Mattermost Plugin Zoom, version 1.11.1 is available.

Added: Feb 16, 2026, 1:23 PM

Updated: Feb 16, 2026, 1:23 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

4.8

remediation

7.7

relevance

3.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

4.8

remediation

7.7

relevance

3.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost and Mattermost Plugin Zoom User Identity Validation Vulnerability in the AskPMI Endpoint

Vulnerability

Impact

Remediation

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating