CVE-2026-6347
Authentication Bypass in Mattermost Calls Plugin
Publication date: 2026-05-18
Last updated on: 2026-05-18
Assigner: Mattermost, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | mattermost_server | From 10.11.0 (inc) to 10.11.14 (exc) |
| mattermost | mattermost_server | From 11.4.0 (inc) to 11.4.4 (exc) |
| mattermost | mattermost_server | From 11.5.0 (inc) to 11.5.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker with access to a support packet to obtain TURN server credentials in plaintext from the Mattermost Calls plugin configuration. This exposure of sensitive credentials could potentially lead to unauthorized access or data breaches.
Such exposure of sensitive information may impact compliance with data protection standards and regulations like GDPR and HIPAA, which require the protection of sensitive data and credentials to prevent unauthorized access and ensure confidentiality.
However, the provided information does not explicitly detail the direct compliance implications or specific regulatory impacts.
Can you explain this vulnerability to me?
This vulnerability affects certain versions of Mattermost, specifically versions 11.5.x up to 11.5.1, 10.11.x up to 10.11.13, and 11.4.x up to 11.4.3. The issue is that the Mattermost Calls plugin fails to sanitize sensitive configuration fields properly. As a result, an attacker who has access to a support packet can obtain TURN server credentials because these credentials are present in plaintext within the exported plugin configuration.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of sensitive TURN server credentials. An attacker with access to a support packet could use these credentials to potentially interfere with or eavesdrop on communications that rely on the TURN server, compromising confidentiality. The CVSS score of 7.6 indicates a high severity impact, with confidentiality being highly affected, integrity not impacted, and availability slightly impacted.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update Mattermost to a version later than the affected versions (11.5.1, 10.11.13, 11.4.3) where the issue with the Mattermost Calls plugin configuration sanitization has been fixed.
Additionally, review and restrict access to support packets and exported plugin configurations to prevent unauthorized access to sensitive TURN server credentials.
Stay informed about security updates by subscribing to Mattermost's Security Bulletin and regularly checking their security updates page.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the Mattermost Calls plugin exporting sensitive TURN server credentials in plaintext within support packets. Detection would involve inspecting exported support packets or plugin configuration files for the presence of these plaintext credentials.
Since the vulnerability is related to specific Mattermost versions (11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3), first verify the Mattermost server version in use.
- Check the Mattermost server version by running: `mattermost version` or checking the server's about page.
- Export a support packet from the Mattermost Calls plugin and search for TURN server credentials in the configuration files using commands like: `grep -i turn /path/to/support_packet/*`.
- Monitor network traffic for unencrypted transmission of TURN server credentials, though this may require packet capture tools like tcpdump or Wireshark.