Insufficient Input Validation in Mattermost Plugins Enables Information Exposure
CVE-2026-9699

6.8MEDIUM

Key Information:

Vendor

Mattermost

Vendor
CVE Published:
26 June 2026

What is CVE-2026-9699?

Certain versions of Mattermost Plugins fail to properly sanitize error responses from the OpenAI API before logging. This oversight allows an authenticated user, with access to server logs or support packets, to potentially retrieve a valid or partially reconstructable OpenAI API key by examining the entries in mattermost.log that are generated during authentication failures. This vulnerability emphasizes the importance of input validation and error handling in maintaining the security of API keys and sensitive data.

Affected Version(s)

Mattermost 0 <= 10.18.11

Mattermost 0 <= 11.3.6

Mattermost 0 <= 11.6.5

References

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Edgar Bellot MicĂł
.