CVE-2026-6345
Received Received - Intake
Password Disclosure in Mattermost

Publication date: 2026-05-18

Last updated on: 2026-05-18

Assigner: Mattermost, Inc.

Description
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail prevent disclosure of created user password which allows a malicious attacker to impersonate a user via the use of some of those passwords.. Mattermost Advisory ID: MMSA-2026-00614
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-18
Last Modified
2026-05-18
Generated
2026-06-10
AI Q&A
2026-05-18
EPSS Evaluated
2026-06-08
NVD
CVE-2026-6345
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
mattermost mattermost_server From 10.11.0 (inc) to 10.11.14 (exc)
mattermost mattermost_server From 11.4.0 (inc) to 11.4.4 (exc)
mattermost mattermost_server From 11.5.0 (inc) to 11.5.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Mattermost versions 11.5.x up to 11.5.1, 10.11.x up to 10.11.13, and 11.4.x up to 11.4.3. It involves a failure to prevent the disclosure of created user passwords. Because of this flaw, a malicious attacker can obtain some of these passwords and use them to impersonate legitimate users.

Impact Analysis

The vulnerability can lead to unauthorized access by attackers who obtain user passwords. This allows them to impersonate users, potentially gaining access to sensitive information or performing actions on behalf of those users. The CVSS score of 6.5 indicates a medium to high severity, with high impact on confidentiality and integrity.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Mattermost to a version later than 11.5.1, 10.11.13, or 11.4.3, as these versions contain the fix that prevents disclosure of created user passwords.

Additionally, monitor the Mattermost Security Updates page for any further patches or advisories.

Compliance Impact

The vulnerability in Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, and 11.4.x <= 11.4.3 allows disclosure of created user passwords, enabling malicious attackers to impersonate users.

Such unauthorized disclosure of user credentials can lead to violations of data protection and privacy regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

Therefore, this vulnerability potentially impacts compliance by exposing sensitive user authentication data, increasing the risk of data breaches and unauthorized access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6345. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart