Description

The Mattermost Google Drive plugin before version 1.1.0 fails to validate channel membership in the file creation endpoint, allowing authenticated users with a connected Google account to share Google Drive files to unauthorized private channels and disclose private channel membership.

Severity (CVSS)

Base score4.2
SeverityMedium
VersionCVSS 3.1
VectorCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Provided byCNA

Weaknesses

  • CWE-862 — CWE-862: Missing Authorization

Affected products

VendorProductVersions
MattermostMattermost Google Drive Plugin0 to <=1.0.0; 1.1.0

References

Authoritative sources

This page is a snapshot. For the latest enrichment and updates, view the record on CVE.org or the NVD.

Generated from the official CVE List on 26 Jun 2026 07:05 UTC.