Skip to main content

Mattermost Agents CVE-2026-4339

| EUVDEUVD-2026-39779 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-26 responsibledisclosure@mattermost.com GHSA-p3qg-h7r3-79xr
6.5
CVSS 3.1 · Vendor: mattermost
Share

Severity by source

Vendor (mattermost) PRIMARY
6.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Local vector because MCP stdio mode is process-local; PR:L as attacker needs interface access; S:C and C:H reflect SSRF reaching internal network services beyond the vulnerable host.

3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (mattermost).

CVSS VectorVendor: mattermost

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 16:06 vuln.today

DescriptionCVE.org

Mattermost versions 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, 11.5.x <= 11.5.6 fail to validate attachment URLs against internal or private IP ranges in the Mattermost Agents plugin MCP server which allows an attacker with access to the MCP server in stdio mode to perform server-side request forgery (SSRF) and exfiltrate data from internal network services via supplying internal URLs as file attachments in post creation requests.. Mattermost Advisory ID: MMSA-2026-00635

AnalysisAI

Server-side request forgery in the Mattermost Agents plugin MCP server (stdio mode) allows a low-privileged local attacker to make the server fetch arbitrary internal URLs submitted as file attachment references in post creation requests, enabling exfiltration of data from RFC 1918-addressed services on the internal network. Affected are Mattermost deployments running versions 10.11.x ≤ 10.11.18, 11.5.x ≤ 11.5.6, and 11.6.x ≤ 11.6.3 with the Agents plugin's MCP server active in stdio mode. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local access to MCP stdio interface
Delivery
Craft post creation request with RFC 1918 URL as attachment
Exploit
MCP server issues unvalidated outbound HTTP fetch
Execution
Internal service responds with sensitive data
Impact
Attacker receives exfiltrated response payload

Vulnerability AssessmentAI

Exploitation Exploitation requires three specific conditions to be simultaneously true: (1) the Mattermost Agents plugin must be installed and active; (2) the MCP server within that plugin must be running in stdio mode specifically - other MCP transport modes are not indicated as vulnerable; and (3) the attacker must have low-privilege local access to the process interface of that MCP server (CVSS PR:L, AV:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score of 6.5 with vector AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N correctly reflects a local-vector attack with scope change and high confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with local access to the host running the Mattermost Agents plugin in MCP stdio mode crafts a post creation request that includes an internal URL - such as http://169.254.169.254/latest/meta-data/ (cloud instance metadata) or http://192.168.1.10:8080/api/internal - as a file attachment reference. The Agents plugin MCP server issues an outbound HTTP fetch to the supplied URL without checking it against blocked address ranges, and the response body (containing cloud credentials or internal API responses) is returned or logged in a manner accessible to the attacker. …
Remediation The primary remediation is to upgrade Mattermost to the first fixed release in each affected branch, as specified in Mattermost advisory MMSA-2026-00635 at https://mattermost.com/security-updates - exact fix version numbers were not provided in the available data and should be confirmed there before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-9354 MEDIUM POC
5.5 May 24

Improper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers t

CVE-2026-7387 HIGH
8.8 Jun 12

Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding gr

CVE-2026-3524 HIGH
8.8 Apr 06

Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal

CVE-2026-6346 HIGH
8.7 May 18

Mattermost versions up to 11.5.1 expose sensitive credentials in plaintext within support packets due to insufficient sa

CVE-2026-6957 HIGH
8.0 May 27

Arbitrary file write in Mattermost Plugins (versions ≤1.1.5) lets an administrator of a remote, federated Mattermost ser

CVE-2026-3108 HIGH
8.0 Mar 26

Mattermost's mmctl command-line administration tool fails to sanitize ANSI and OSC escape sequences embedded in user-gen

CVE-2026-4858 HIGH
8.0 May 21

Privilege escalation via path traversal in Mattermost collaboration platform allows authenticated users to invoke arbitr

CVE-2026-6517 HIGH
7.7 Jun 15

Credential leakage in Mattermost Desktop App versions up to 6.1 and 5.5.13.0 allows authenticated server users to harves

CVE-2026-6961 HIGH
7.6 Jun 12

Arbitrary file write in Mattermost via path traversal affects versions 11.6.x ≤ 11.6.1, 11.5.x ≤ 11.5.4, and 10.11.x ≤ 1

CVE-2026-6347 HIGH
7.6 May 18

Information disclosure in Mattermost Calls plugin versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 expos

CVE-2026-24458 HIGH
7.5 Mar 16

Mattermost 10.11.x through 11.3.x fails to validate password length, allowing unauthenticated attackers to trigger denia

CVE-2026-5740 HIGH
7.5 May 22

Denial of service in Mattermost server (versions 11.6.0, 11.5.0-11.5.3, 11.4.0-11.4.4, and 10.11.0-10.11.14) allows remo

Share

CVE-2026-4339 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy