CVE-2026-2299

Source
https://cve.org/CVERecord?id=CVE-2026-2299
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2299.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-2299
Published
2026-06-25T18:55:11.905Z
Modified
2026-07-15T01:49:00.214829449Z
Severity
  • 4.2 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
Improper Access Control in Mattermost Google Drive Plugin File Creation Endpoint
Details

The Mattermost Google Drive plugin before version 1.1.0 fails to validate channel membership in the file creation endpoint, allowing authenticated users with a connected Google account to share Google Drive files to unauthorized private channels and disclose private channel membership.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/2xxx/CVE-2026-2299.json",
    "cwe_ids": [
        "CWE-862"
    ],
    "cna_assigner": "Mattermost"
}
References

Affected packages

Git / github.com/mattermost/mattermost-plugin-google-drive

Affected ranges

Type
GIT
Repo
https://github.com/mattermost/mattermost-plugin-google-drive
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0"
        },
        {
            "fixed": "1.1.0"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "DESCRIPTION",
        "REFERENCES"
    ]
}

Affected versions

v0.*
v0.1.0-alpha
v1.*
v1.0.0
v1.1.0-rc1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2299.json"