What is the CVSS score of CVE-2026-6347?

CVE-2026-6347 has a CVSS 3.1 base score of 7.6 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L. EPSS exploitation probability: 0.0%.

Which versions of Mattermost Calls are affected by CVE-2026-6347?

Mattermost Calls plugin versions 11.5.1, 10.11.13, and 11.4.3 and earlier leak TURN server credentials in plaintext within support packet exports, allowing administrators to compromise voice and…

Mattermost Calls CVE-2026-6347

Q: How to fix or mitigate CVE-2026-6347?

Within 24 hours: Identify all Mattermost instances running affected Calls plugin versions (11.5.x ≤11.5.1, 10.11.x ≤10.11.13, 11.4.x ≤11.4.3) and restrict support packet generation to essential personnel only. Within 7 days: Review audit logs for unauthorized support packet exports and disable or rotate all TURN server credentials immediately. Within 30 days: Upgrade Mattermost Calls plugin to the next available patched release when vendor releases a fix, or implement network segmentation to isolate TURN infrastructure from administrative access.

EUVD-2026-30752 HIGH

Information Exposure (CWE-200)

2026-05-18 Mattermost

GHSA-82j6-4fq7-fx62

Information Disclosure Mattermost

7.6

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

Low

Lifecycle Timeline

Analysis Generated

May 18, 2026 - 09:30 vuln.today

DescriptionNVD

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields in the Mattermost Calls plugin which allows an attacker with access to a support packet to obtain TURN server credentials via the plaintext values present in the exported plugin configuration.. Mattermost Advisory ID: MMSA-2026-00605

AnalysisAI

Information disclosure in Mattermost Calls plugin versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 exposes TURN server credentials through support packets. Administrators with support packet access can extract plaintext credentials from exported plugin configurations, potentially compromising the WebRTC infrastructure used for voice/video calls. …

RemediationAI

Within 24 hours: Identify all Mattermost instances running affected Calls plugin versions (11.5.x ≤11.5.1, 10.11.x ≤10.11.13, 11.4.x ≤11.4.3) and restrict support packet generation to essential personnel only. Within 7 days: Review audit logs for unauthorized support packet exports and disable or rotate all TURN server credentials immediately. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-6347 vulnerability details – vuln.today

Back