Primary

Context

Mattermost Legal Hold Plugin Authorization Bypass Vulnerability Allowing Unauthorized Access to Legal Hold Data

Vulnerability

A vulnerability exists in the Mattermost Plugin Legal Hold, specifically in versions through 1.1.4. The issue arises because the plugin fails to properly stop request processing after an authorization check fails. This flaw enables an authenticated attacker to manipulate API requests to the plugin's endpoints, gaining unauthorized access to legal hold data. The attacker can also create, download, and delete legal hold information.

Impact

Exploitation of this vulnerability allows for unauthorized access to, creation, download, and deletion of legal hold data within the Mattermost environment.

Remediation

Users can upgrade to Mattermost Plugin Legal Hold version 1.1.5 or later to address this vulnerability.

Added: Apr 6, 2026, 1:19 PM

Updated: Apr 6, 2026, 1:19 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

5.2

remediation

0.0

relevance

5.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

5.2

remediation

0.0

relevance

5.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost Legal Hold Plugin Authorization Bypass Vulnerability Allowing Unauthorized Access to Legal Hold Data

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating