Server-Side Request Forgery in Mattermost Agents Plugin
CVE-2026-4339
6.5MEDIUM
What is CVE-2026-4339?
The Mattermost Agents plugin has a significant vulnerability that allows unauthorized access to internal network services due to insufficient validation of attachment URLs. Versions 10.11.x up to 10.11.18, 11.6.x up to 11.6.3, and 11.5.x up to 11.5.6 are affected. An attacker with access to the MCP server in stdio mode can exploit this flaw to craft requests that lead to server-side request forgery (SSRF). This enables them to exfiltrate sensitive data by using internal URLs disguised as file attachments during post creation. For further details, refer to the Mattermost Advisory ID: MMSA-2026-00635.
Affected Version(s)
Mattermost 10.11.0 <= 10.11.18
Mattermost 11.6.0 <= 11.6.3
Mattermost 11.5.0 <= 11.5.6