GHSA-gr4w-63r3-8h38
Mattermost Plugins versions 10.18.11, 11.3.6, 11.6.5.0, and all versions up to 11.6 fail to sanitize error responses from the OpenAI API before logging. This vulnerability allows users with access to server logs or support packets to obtain a valid or partially reconstructable OpenAI API key by inspecting mattermost.log entries generated during authentication failures. The issue is tracked as CVE-2026-9699 and is classified under CWE-532 (Information Exposure Through Log Files).
AI Analysis
Technical Summary
Mattermost Plugins up to version 11.6, including specific versions 10.18.11, 11.3.6, and 11.6.5.0, do not properly sanitize error responses from the OpenAI API before writing them to logs. As a result, sensitive information such as valid or partially reconstructable OpenAI API keys can be exposed to any user who has access to server logs or support packets. This vulnerability is identified as CVE-2026-9699 and categorized under CWE-532, indicating improper handling of sensitive data in logs. There is no vendor advisory or patch information provided in the input data.
Potential Impact
An attacker or unauthorized user with access to Mattermost server logs or support packets can extract valid or partially reconstructable OpenAI API keys. This exposure can lead to unauthorized use of the OpenAI API under the compromised key, potentially resulting in abuse of API resources or data leakage. The vulnerability does not impact confidentiality, integrity, or availability of Mattermost itself directly but exposes sensitive credentials that could be misused externally.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to server logs and support packets to trusted personnel only to prevent unauthorized disclosure of OpenAI API keys. Monitor vendor channels for updates or patches addressing this issue.
GHSA-gr4w-63r3-8h38
Description
Mattermost Plugins versions 10.18.11, 11.3.6, 11.6.5.0, and all versions up to 11.6 fail to sanitize error responses from the OpenAI API before logging. This vulnerability allows users with access to server logs or support packets to obtain a valid or partially reconstructable OpenAI API key by inspecting mattermost.log entries generated during authentication failures. The issue is tracked as CVE-2026-9699 and is classified under CWE-532 (Information Exposure Through Log Files).
CVSS v3.1
Affected software
pkg:npm/mattermost/pluginsRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Mattermost Plugins up to version 11.6, including specific versions 10.18.11, 11.3.6, and 11.6.5.0, do not properly sanitize error responses from the OpenAI API before writing them to logs. As a result, sensitive information such as valid or partially reconstructable OpenAI API keys can be exposed to any user who has access to server logs or support packets. This vulnerability is identified as CVE-2026-9699 and categorized under CWE-532, indicating improper handling of sensitive data in logs. There is no vendor advisory or patch information provided in the input data.
Potential Impact
An attacker or unauthorized user with access to Mattermost server logs or support packets can extract valid or partially reconstructable OpenAI API keys. This exposure can lead to unauthorized use of the OpenAI API under the compromised key, potentially resulting in abuse of API resources or data leakage. The vulnerability does not impact confidentiality, integrity, or availability of Mattermost itself directly but exposes sensitive credentials that could be misused externally.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to server logs and support packets to trusted personnel only to prevent unauthorized disclosure of OpenAI API keys. Monitor vendor channels for updates or patches addressing this issue.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-gr4w-63r3-8h38
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-9699"]
- Ecosystems
- []
- Database Specific Severity
- MODERATE
- Cvss Version
- 3.1
Threat ID: 6a3ef79827e9c79719ff9c5a
Added to database: 06/26/2026, 22:05:12 UTC
Last enriched: 06/26/2026, 22:20:36 UTC
Last updated: 06/27/2026, 00:51:24 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.