Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Local vector because MCP stdio mode is process-local; PR:L as attacker needs interface access; S:C and C:H reflect SSRF reaching internal network services beyond the vulnerable host.
Primary rating from Vendor (mattermost).
CVSS VectorVendor: mattermost
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Mattermost versions 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, 11.5.x <= 11.5.6 fail to validate attachment URLs against internal or private IP ranges in the Mattermost Agents plugin MCP server which allows an attacker with access to the MCP server in stdio mode to perform server-side request forgery (SSRF) and exfiltrate data from internal network services via supplying internal URLs as file attachments in post creation requests.. Mattermost Advisory ID: MMSA-2026-00635
AnalysisAI
Server-side request forgery in the Mattermost Agents plugin MCP server (stdio mode) allows a low-privileged local attacker to make the server fetch arbitrary internal URLs submitted as file attachment references in post creation requests, enabling exfiltration of data from RFC 1918-addressed services on the internal network. Affected are Mattermost deployments running versions 10.11.x ≤ 10.11.18, 11.5.x ≤ 11.5.6, and 11.6.x ≤ 11.6.3 with the Agents plugin's MCP server active in stdio mode. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three specific conditions to be simultaneously true: (1) the Mattermost Agents plugin must be installed and active; (2) the MCP server within that plugin must be running in stdio mode specifically - other MCP transport modes are not indicated as vulnerable; and (3) the attacker must have low-privilege local access to the process interface of that MCP server (CVSS PR:L, AV:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 6.5 with vector AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N correctly reflects a local-vector attack with scope change and high confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with local access to the host running the Mattermost Agents plugin in MCP stdio mode crafts a post creation request that includes an internal URL - such as http://169.254.169.254/latest/meta-data/ (cloud instance metadata) or http://192.168.1.10:8080/api/internal - as a file attachment reference. The Agents plugin MCP server issues an outbound HTTP fetch to the supplied URL without checking it against blocked address ranges, and the response body (containing cloud credentials or internal API responses) is returned or logged in a manner accessible to the attacker. … |
| Remediation | The primary remediation is to upgrade Mattermost to the first fixed release in each affected branch, as specified in Mattermost advisory MMSA-2026-00635 at https://mattermost.com/security-updates - exact fix version numbers were not provided in the available data and should be confirmed there before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Mattermost
View allImproper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers t
Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding gr
Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal
Mattermost versions up to 11.5.1 expose sensitive credentials in plaintext within support packets due to insufficient sa
Arbitrary file write in Mattermost Plugins (versions ≤1.1.5) lets an administrator of a remote, federated Mattermost ser
Mattermost's mmctl command-line administration tool fails to sanitize ANSI and OSC escape sequences embedded in user-gen
Privilege escalation via path traversal in Mattermost collaboration platform allows authenticated users to invoke arbitr
Credential leakage in Mattermost Desktop App versions up to 6.1 and 5.5.13.0 allows authenticated server users to harves
Arbitrary file write in Mattermost via path traversal affects versions 11.6.x ≤ 11.6.1, 11.5.x ≤ 11.5.4, and 10.11.x ≤ 1
Information disclosure in Mattermost Calls plugin versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 expos
Mattermost 10.11.x through 11.3.x fails to validate password length, allowing unauthenticated attackers to trigger denia
Denial of service in Mattermost server (versions 11.6.0, 11.5.0-11.5.3, 11.4.0-11.4.4, and 10.11.0-10.11.14) allows remo
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39779
GHSA-p3qg-h7r3-79xr