Mattermost Plugins <=11.6: OpenAI API key leak via unsanitized error logs
CVE-2026-9699 Published on June 26, 2026

Mattermost Agents plugin logs unsanitized OpenAI API keys on authentication errors
Mattermost Plugins versions <=11.6 10.18.11 11.3.6 11.6.5.0 fail to sanitize error responses from the OpenAI API before logging, which allows a user with access to server logs or support packets to obtain a valid or partially reconstructable OpenAI API key via inspection of mattermost.log entries generated during authentication failures. Mattermost Advisory ID: MMSA-2026-00609

Vendor Advisory NVD

Vulnerability Analysis

CVE-2026-9699 can be exploited with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
HIGH
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Type

Insertion of Sensitive Information into Log File

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.


Products Associated with CVE-2026-9699

Want to know whenever a new CVE is published for MatterMost? stack.watch will email you.

 

Affected Versions

Mattermost: