CVE-2026-6346
Received Received - Intake
Mattermost Support Packet Credential Exposure

Publication date: 2026-05-18

Last updated on: 2026-05-18

Assigner: Mattermost, Inc.

Description
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields before including them in support packet generation, which allows a Mattermost System Admin or any party with access to a support packet to obtain sensitive credentials in plaintext via downloading a support packet from the System Console.. Mattermost Advisory ID: MMSA-2026-00607
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-18
Last Modified
2026-05-18
Generated
2026-06-10
AI Q&A
2026-05-18
EPSS Evaluated
2026-06-08
NVD
CVE-2026-6346
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
mattermost mattermost_server From 10.11.0 (inc) to 10.11.14 (exc)
mattermost mattermost_server From 11.4.0 (inc) to 11.4.4 (exc)
mattermost mattermost_server From 11.5.0 (inc) to 11.5.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects certain versions of Mattermost (11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3) where sensitive configuration fields are not properly sanitized before being included in support packet generation.

As a result, a Mattermost System Admin or anyone with access to a support packet can obtain sensitive credentials in plaintext by downloading a support packet from the System Console.

Impact Analysis

This vulnerability can lead to the exposure of sensitive credentials in plaintext to unauthorized parties who have access to support packets.

Such exposure can compromise the confidentiality and integrity of the Mattermost system, potentially allowing attackers to escalate privileges or access sensitive data.

The CVSS score of 8.7 indicates a high severity impact, with high confidentiality and integrity impact but no impact on availability.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Mattermost to a version later than 11.5.1 for the 11.5.x series, later than 10.11.13 for the 10.11.x series, or later than 11.4.3 for the 11.4.x series, as these versions fix the issue of sensitive configuration fields not being sanitized in support packets.

Additionally, restrict access to support packets and the System Console to trusted administrators only, to prevent unauthorized access to sensitive credentials.

Compliance Impact

The vulnerability allows a Mattermost System Admin or any party with access to a support packet to obtain sensitive credentials in plaintext. This exposure of sensitive information could potentially lead to non-compliance with data protection standards and regulations such as GDPR and HIPAA, which require the protection of sensitive data and credentials.

Since sensitive configuration fields are not sanitized before inclusion in support packets, unauthorized disclosure of credentials may occur, increasing the risk of data breaches and violating confidentiality requirements mandated by these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6346. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart