CVE-2026-2299

Description

The Mattermost Google Drive plugin before version 1.1.0 fails to validate channel membership in the file creation endpoint, allowing authenticated users with a connected Google account to share Google Drive files to unauthorized private channels and disclose private channel membership.

References

• https://github.com/mattermost/mattermost-plugin-google-drive/releases/tag/v1.1.0