Mattermost Calls Plugin Exposes TURN Server Credentials via CVE-2026-6347

/HIGH /CVSS 7.6/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-200
Mattermost Calls Plugin Exposes TURN Server Credentials via CVE-2026-6347

The National Vulnerability Database has detailed CVE-2026-6347, a high-severity vulnerability (CVSS 7.6) affecting Mattermost versions 11.5.x up to 11.5.1, 10.11.x up to 10.11.13, and 11.4.x up to 11.4.3. This flaw resides in the Mattermost Calls plugin, which fails to properly sanitize sensitive configuration fields.

According to the National Vulnerability Database, an attacker with access to a support packet can exploit this weakness. They can obtain plaintext TURN server credentials directly from the exported plugin configuration. This isn’t some theoretical bypass; it’s a direct exposure of critical authentication data, classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).

This vulnerability highlights a fundamental issue: treating configuration exports as benign. Attackers are constantly looking for low-friction ways to escalate privileges or pivot. Access to TURN server credentials can facilitate man-in-the-middle attacks, eavesdropping, or denial-of-service against voice and video communications, undermining the very trust Mattermost aims to build for team collaboration.

What This Means For You

  • If your organization uses Mattermost, specifically the Calls plugin, you need to verify your version immediately. Patch to a fixed version to mitigate CVE-2026-6347. Beyond patching, review your Mattermost support packet access controls. Assume any exported configuration could be compromised and audit for any unauthorized access to these packets.

Indicators of Compromise

IDTypeIndicator
CVE-2026-6347 Information Disclosure Mattermost Calls plugin configuration
CVE-2026-6347 Information Disclosure Mattermost versions 11.5.x <= 11.5.1
CVE-2026-6347 Information Disclosure Mattermost versions 10.11.x <= 10.11.13
CVE-2026-6347 Information Disclosure Mattermost versions 11.4.x <= 11.4.3
CVE-2026-6347 Information Disclosure TURN server credentials via exported plugin configuration

Written by SCW Vulnerability Desk

🔎
Mattermost vulnerability details Use /brief for an analyst-ready weekly threat summary including high-severity vulnerabilities like this.
Open Intel Bot →
Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 18, 2026 at 12:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-20240 — Denial of Service

CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-20
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data

CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...

vulnerabilityCVEhigh-severitycwe-532
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs /⚙ 4 Sigma

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...

vulnerabilityCVEmedium-severitycwe-863
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma