CVE-2026-9699 | Mattermost Plugins versions <=11.6 10.18.11 11.3.6 11.6.5.0 … | CVSS 6.8 MEDIUM

Description

Mattermost Plugins versions <=11.6 10.18.11 11.3.6 11.6.5.0 fail to sanitize error responses from the OpenAI API before logging, which allows a user with access to server logs or support packets to obtain a valid or partially reconstructable OpenAI API key via inspection of mattermost.log entries generated during authentication failures. Mattermost Advisory ID: MMSA-2026-00609

Metadata

CVE ID: CVE-2026-9699
State: PUBLISHED
Assigner: Mattermost
Reserved: 2026-05-27 12:08 UTC
Published: 2026-06-26 14:43 UTC
Last updated: 2026-06-26 15:40 UTC
Primary CWE: CWE-532
CWE-532: Insertion of Sensitive Information into Log Files
Vendor / Product: Mattermost / Mattermost
Sources: cve.org · NVD

Severity & Metrics

6.8 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Mattermost	Mattermost	—	0 ≤ 10.18.11, 0 ≤ 11.3.6, 0 ≤ 11.6.5, 11.7.0 …

Weakness (CWE)

CWE	Source	Description
CWE-532	cna	CWE-532: Insertion of Sensitive Information into Log Files

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.8	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

References (1)

MMSA-2026-00609 https://mattermost.com/security-updates