Configuration Exposure in Mattermost Plugin Affects Various Versions
CVE-2026-6347

7.6HIGH

Key Information:

Vendor: Mattermost
Status: Mattermost
Vendor: CVE Published:; 18 May 2026

What is CVE-2026-6347?

Certain versions of the Mattermost Calls plugin exhibit a significant security flaw where sensitive configuration fields are not adequately sanitized. This vulnerability enables attackers who have access to a support packet to extract TURN server credentials from the plaintext data within the exported plugin configuration. This issue affects Mattermost versions 11.5.x through 11.5.1, 10.11.x through 10.11.13, and 11.4.x through 11.4.3, posing a risk of compromising network security and user privacy.

Affected Version(s)

Mattermost 11.5.0 <= 11.5.1

Mattermost 10.11.0 <= 10.11.13

Mattermost 11.4.0 <= 11.4.3

References

https://mattermost.com/security-updates

vendor-advisory

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 18, 2026
Vulnerability Reserved
Apr 15, 2026

Credit

Edgar Bellot Micó

CVE-2026-6347 Data

JSON