Insufficient Input Validation in Mattermost Plugins Enables Information Exposure
CVE-2026-9699
6.8MEDIUM
What is CVE-2026-9699?
Certain versions of Mattermost Plugins fail to properly sanitize error responses from the OpenAI API before logging. This oversight allows an authenticated user, with access to server logs or support packets, to potentially retrieve a valid or partially reconstructable OpenAI API key by examining the entries in mattermost.log that are generated during authentication failures. This vulnerability emphasizes the importance of input validation and error handling in maintaining the security of API keys and sensitive data.
Affected Version(s)
Mattermost 0 <= 10.18.11
Mattermost 0 <= 11.3.6
Mattermost 0 <= 11.6.5