What is the CVSS score of EUVD-2026-30754?

EUVD-2026-30754 has a CVSS 3.1 base score of 8.7 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Mattermost are affected by EUVD-2026-30754?

Mattermost versions through 11.5.1 leak sensitive credentials including database passwords and API keys in plaintext within support packets accessible from the System Console, creating immediate risk…

Mattermost EUVD-2026-30754

Q: How to fix or mitigate EUVD-2026-30754?

Within 24 hours: Restrict System Console access to only essential administrators and disable support packet download functionality if available via administrative controls. Within 7 days: Audit all downloaded support packets for credential exposure and rotate all passwords, API keys, and secrets referenced in Mattermost configuration (database credentials, LDAP/SAML bindings, webhook tokens, OAuth secrets). Within 30 days: Upgrade to Mattermost 11.6.0 or later when available, or implement version-specific patches if released for 10.11.x and 11.4.x branches; verify credential sanitization in support packets post-upgrade.

| CVE-2026-6346 HIGH

Information Exposure (CWE-200)

2026-05-18 Mattermost

GHSA-9p64-jpc7-m2rp

Information Disclosure Mattermost

8.7

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

May 18, 2026 - 09:30 vuln.today

DescriptionNVD

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields before including them in support packet generation, which allows a Mattermost System Admin or any party with access to a support packet to obtain sensitive credentials in plaintext via downloading a support packet from the System Console.. Mattermost Advisory ID: MMSA-2026-00607

AnalysisAI

Mattermost versions up to 11.5.1 expose sensitive credentials in plaintext within support packets due to insufficient sanitization of configuration fields. System administrators or anyone with access to support packets can obtain database passwords, API keys, and other sensitive credentials by downloading support packets from the System Console. …

RemediationAI

Within 24 hours: Restrict System Console access to only essential administrators and disable support packet download functionality if available via administrative controls. Within 7 days: Audit all downloaded support packets for credential exposure and rotate all passwords, API keys, and secrets referenced in Mattermost configuration (database credentials, LDAP/SAML bindings, webhook tokens, OAuth secrets). …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-30754 vulnerability details – vuln.today

Back

Mattermost EUVD-2026-30754

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code