CVE-2026-3524
Published: 06 April 2026
Summary
CVE-2026-3524 is a high-severity Missing Authorization (CWE-862) vulnerability in Mattermost Plugin Legal Hold (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Information Repositories (T1213); ranked at the 5.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access to information and system resources, directly mitigating the failure to halt request processing after a failed authorization check in the plugin's ServeHTTP function.
Requires timely identification, reporting, and correction of system flaws, such as patching Mattermost Legal Hold plugin versions <=1.1.4 to remediate the authorization vulnerability.
Employs least privilege to restrict authorized accesses necessary for tasks, limiting damage from low-privilege authenticated attackers exploiting the authorization bypass.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization in plugin API enables low-priv authenticated attackers to access (T1213 Data from Information Repositories), download/exfil (T1567 Exfiltration Over Web Service), create/manipulate (T1565 Data Manipulation), and delete (T1485 Data Destruction) legal hold data.
NVD Description
Mattermost Plugin Legal Hold versions <=1.1.4 fail to halt request processing after a failed authorization check in ServeHTTP which allows an authenticated attacker to access, create, download, and delete legal hold data via crafted API requests to the plugin's endpoints.…
more
Mattermost Advisory ID: MMSA-2026-00621
Deeper analysisAI
CVE-2026-3524 is a missing authorization vulnerability (CWE-862) in the Mattermost Plugin Legal Hold versions <=1.1.4. The flaw occurs in the ServeHTTP function, where request processing continues even after a failed authorization check. This enables unauthorized operations on legal hold data through the plugin's API endpoints. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-04-06.
An authenticated attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). By crafting API requests to the plugin's endpoints, the attacker can access, create, download, and delete legal hold data, achieving high confidentiality, integrity, and availability impacts (C:H/I:H/A:H) within the unchanged security scope (S:U).
Mattermost Advisory ID MMSA-2026-00621 addresses this issue. Further details on mitigation and patches are available in the security updates at https://mattermost.com/security-updates.
Details
- CWE(s)