Server-Side Request Forgery in Mattermost Agents Plugin
CVE-2026-4339

6.5MEDIUM

Key Information:

Vendor

Mattermost

Vendor
CVE Published:
26 June 2026

What is CVE-2026-4339?

The Mattermost Agents plugin has a significant vulnerability that allows unauthorized access to internal network services due to insufficient validation of attachment URLs. Versions 10.11.x up to 10.11.18, 11.6.x up to 11.6.3, and 11.5.x up to 11.5.6 are affected. An attacker with access to the MCP server in stdio mode can exploit this flaw to craft requests that lead to server-side request forgery (SSRF). This enables them to exfiltrate sensitive data by using internal URLs disguised as file attachments during post creation. For further details, refer to the Mattermost Advisory ID: MMSA-2026-00635.

Affected Version(s)

Mattermost 10.11.0 <= 10.11.18

Mattermost 11.6.0 <= 11.6.3

Mattermost 11.5.0 <= 11.5.6

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

s00me00ne
.