Skip to main content

Mattermost Desktop App CVE-2026-6517

| EUVDEUVD-2026-36725 HIGH
Insufficiently Protected Credentials (CWE-522)
2026-06-15 Mattermost GHSA-2wmq-3m94-g4jr
7.7
CVSS 3.1 · NVD
Share

Severity by source

Vendor (Mattermost) PRIMARY
MEDIUM
qualitative
NVD
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
vuln.today AI
7.7 HIGH

Network-reachable via posted image, low complexity, requires a low-privileged server account (PR:L), no user interaction, credentials of another user are disclosed so scope changes and C:H with no I/A impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (Mattermost).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

6
Analysis Updated
Jun 16, 2026 - 17:14 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 16, 2026 - 17:13 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 16, 2026 - 17:07 vuln.today
cvss_changed
Severity Changed
Jun 16, 2026 - 17:07 NVD
MEDIUM HIGH
CVSS changed
Jun 16, 2026 - 17:07 NVD
6.3 (MEDIUM) 7.7 (HIGH)
Analysis Generated
Jun 15, 2026 - 14:37 vuln.today

DescriptionNVD

Mattermost Desktop App versions <=6.1 5.5.13.0 fail to restrict the allow list of domains to which NTLM credentials were forwarded to in the Mattermost Desktop App which allows any user on a server without the image proxy enabled to intercept other users credentials via embedding an image that routes to an external web server. Mattermost Advisory ID: MMSA-2026-00651

AnalysisAI

Credential leakage in Mattermost Desktop App versions up to 6.1 and 5.5.13.0 allows authenticated server users to harvest NTLM credentials from other users by embedding images that resolve to attacker-controlled external web servers. The client fails to enforce a strict domain allow list before forwarding Windows NTLM authentication challenges, so any post in a server without the image proxy enabled becomes a credential capture vector. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privileged Mattermost user
Delivery
Post message embedding image URL pointing to attacker server
Exploit
Victim's Desktop App fetches image without proxy interception
Execution
Attacker host responds with HTTP 401 NTLM challenge
Persist
Windows forwards victim's NTLMv2 response due to missing allow list
Impact
Attacker relays or cracks captured credentials

Vulnerability AssessmentAI

Exploitation Attacker must hold a low-privileged authenticated account on a Mattermost server (PR:L) and the server must have the image proxy feature disabled, which is the gating configuration explicitly named in the description. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and lean toward moderate, targeted risk rather than mass exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged user on a Mattermost server whose admin has not enabled the image proxy posts a message containing an inline image referencing https://attacker.example/x.png, where the attacker's server returns an HTTP 401 with WWW-Authenticate: NTLM. When a Windows colleague's Desktop App renders the channel, the OS forwards the user's NTLMv2 response to the attacker, who relays it or cracks it offline to recover the victim's domain credentials. …
Remediation Upgrade the Mattermost Desktop App to a fixed release as listed in MMSA-2026-00651 on https://mattermost.com/security-updates (patch available per vendor advisory; an exact fix version was not provided in the input, so confirm against the advisory before rollout). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Mattermost Desktop App installations and document versions in use (prioritize 6.1 and earlier, 5.5.13.0 and earlier). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-9354 MEDIUM POC
5.5 May 24

Improper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers t

CVE-2026-7387 HIGH
8.8 Jun 12

Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding gr

CVE-2026-3524 HIGH
8.8 Apr 06

Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal

CVE-2026-6346 HIGH
8.7 May 18

Mattermost versions up to 11.5.1 expose sensitive credentials in plaintext within support packets due to insufficient sa

CVE-2026-6957 HIGH
8.0 May 27

Arbitrary file write in Mattermost Plugins (versions ≤1.1.5) lets an administrator of a remote, federated Mattermost ser

CVE-2026-3108 HIGH
8.0 Mar 26

Mattermost's mmctl command-line administration tool fails to sanitize ANSI and OSC escape sequences embedded in user-gen

CVE-2026-4858 HIGH
8.0 May 21

Privilege escalation via path traversal in Mattermost collaboration platform allows authenticated users to invoke arbitr

CVE-2026-6961 HIGH
7.6 Jun 12

Arbitrary file write in Mattermost via path traversal affects versions 11.6.x ≤ 11.6.1, 11.5.x ≤ 11.5.4, and 10.11.x ≤ 1

CVE-2026-6347 HIGH
7.6 May 18

Information disclosure in Mattermost Calls plugin versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 expos

CVE-2026-24458 HIGH
7.5 Mar 16

Mattermost 10.11.x through 11.3.x fails to validate password length, allowing unauthenticated attackers to trigger denia

CVE-2026-5740 HIGH
7.5 May 22

Denial of service in Mattermost server (versions 11.6.0, 11.5.0-11.5.3, 11.4.0-11.4.4, and 10.11.0-10.11.14) allows remo

CVE-2026-6739 HIGH
7.2 Jun 12

Privilege escalation in Mattermost collaboration platform allows authenticated users holding delegated user-management p

Share

CVE-2026-6517 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy