Legal Hold Plugin Vulnerability in Mattermost by Mattermost
CVE-2026-3524

8.3HIGH

Key Information:

Vendor: Mattermost
Status: Mattermost
Vendor: CVE Published:; 6 April 2026

What is CVE-2026-3524?

The Mattermost Plugin Legal Hold versions up to 1.1.4 contain a vulnerability that fails to terminate request processing following a failed authorization check. This flaw exposes sensitive legal hold data, allowing authenticated attackers to exploit the plugin's endpoints through specially crafted API requests. Successful exploitation can lead to unauthorized access, creation, download, and deletion of vital legal hold data, thereby compromising data confidentiality and integrity.

Affected Version(s)

Mattermost 0 <= 1.1.4

Mattermost 1.1.5

References

https://mattermost.com/security-updates

vendor-advisory

CVSS V3.1

Score:

8.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Mar 4, 2026

Credit

Hassan Mohammed

CVE-2026-3524 Data

JSON