Mattermost Plugins <=11.6: OpenAI API key leak via unsanitized error logs
CVE-2026-9699 Published on June 26, 2026
Mattermost Agents plugin logs unsanitized OpenAI API keys on authentication errors
Mattermost Plugins versions <=11.6 10.18.11 11.3.6 11.6.5.0 fail to sanitize error responses from the OpenAI API before logging, which allows a user with access to server logs or support packets to obtain a valid or partially reconstructable OpenAI API key via inspection of mattermost.log entries generated during authentication failures. Mattermost Advisory ID: MMSA-2026-00609
Vulnerability Analysis
CVE-2026-9699 can be exploited with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
Insertion of Sensitive Information into Log File
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
Products Associated with CVE-2026-9699
Want to know whenever a new CVE is published for MatterMost? stack.watch will email you.
Affected Versions
Mattermost:- Before and including 10.18.11 is affected.
- Before and including 11.3.6 is affected.
- Before and including 11.6.5 is affected.
- Version 11.7.0 is unaffected.
- Version 10.11.19 is unaffected.
- Version 11.6.4 is unaffected.
- Version 11.5.7 is unaffected.