Mattermost CVE-2026-6346: Support Packets Leak Sensitive Credentials

/HIGH /CVSS 8.7/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-200
Mattermost CVE-2026-6346: Support Packets Leak Sensitive Credentials

The National Vulnerability Database has disclosed CVE-2026-6346, affecting Mattermost versions 11.5.x up to 11.5.1, 10.11.x up to 10.11.13, and 11.4.x up to 11.4.3. This vulnerability stems from Mattermost’s failure to properly sanitize sensitive configuration fields before generating support packets. The result is that these packets can contain plaintext credentials.

This flaw allows a Mattermost System Admin, or any party with access to a generated support packet, to extract highly sensitive information. The issue carries a CVSS score of 8.7 (HIGH), indicating a severe risk. It’s classified under CWE-200, highlighting the information exposure risk.

The attacker’s calculus here is straightforward: gain admin access, then exfiltrate a support packet. The impact is direct credential compromise, which can lead to further system access or lateral movement within an environment. Defenders need to recognize that even ‘trusted’ administrative functions can introduce significant risk if not meticulously secured.

What This Means For You

  • If your organization uses Mattermost, you need to immediately identify all instances running affected versions. Patching to the latest secure versions is critical. Beyond patching, review your internal procedures for generating, storing, and accessing Mattermost support packets. Assume any past packets generated by affected versions contain plaintext secrets and rotate those credentials.

Related ATT&CK Techniques

T1537 Cloud Configuration Collection T1074 Data Staged Collection

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

medium T1537 Exfiltration

Data Exfiltration to Cloud Storage

Sigma YAML — free preview 
title: Data Exfiltration to Cloud Storage
id: scw-2026-05-18-1
status: experimental
level: medium
description: |
  Detects large file uploads to cloud storage services, which may indicate data exfiltration following the CVE-2026-6346 incident.
author: SCW Feed Engine (auto-generated)
date: 2026-05-18
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-6346/
tags:
  - attack.exfiltration
  - attack.t1537
logsource:
    category: proxy
detection:
  selection:
      dst_domain|contains:
        - 'drive.google.com'
        - 'dropbox.com'
        - 'mega.nz'
        - 'onedrive.live.com'
        - 'anonfiles.com'
      sc-bytes|gt: 5000000
      condition: selection
falsepositives:
  - Legitimate activity from CVE-2026-6346

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-6346 Information Disclosure Mattermost versions 11.5.x <= 11.5.1
CVE-2026-6346 Information Disclosure Mattermost versions 10.11.x <= 10.11.13
CVE-2026-6346 Information Disclosure Mattermost versions 11.4.x <= 11.4.3
CVE-2026-6346 Information Disclosure Sensitive configuration fields included in support packet generation
CVE-2026-6346 Information Disclosure Obtain sensitive credentials in plaintext via downloading a support packet from the System Console

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 18, 2026 at 12:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-20240 — Denial of Service

CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-20
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data

CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...

vulnerabilityCVEhigh-severitycwe-532
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs /⚙ 4 Sigma

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...

vulnerabilityCVEmedium-severitycwe-863
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma