CVE-2026-3472 Overview
CVE-2026-3472 is an information disclosure vulnerability in Mattermost Server. The flaw exists because Mattermost fails to apply markdown image rendering restrictions to AI bot tool result posts. An authenticated attacker can inject markdown image syntax into tool result content. When a victim's client renders the post, the client issues an outbound request to an attacker-controlled server, leaking data. Mattermost tracks this issue under advisory MMSA-2026-00619. The vulnerability is categorized under [CWE-693] Protection Mechanism Failure.
Critical Impact
Authenticated attackers can exfiltrate data to attacker-controlled servers by injecting markdown image syntax into AI bot tool result posts rendered by victim clients.
Affected Products
- Mattermost Server versions 10.11.x up to and including 10.11.18
- Mattermost Server versions 11.6.x up to and including 11.6.3
- Mattermost Server versions 11.5.x up to and including 11.5.6
Discovery Timeline
- 2026-06-26 - CVE-2026-3472 published to NVD
- 2026-06-29 - Last updated in NVD database
Technical Details for CVE-2026-3472
Vulnerability Analysis
Mattermost applies markdown image rendering restrictions to prevent clients from automatically fetching remote resources referenced in posts. These restrictions block a well-known exfiltration technique where an attacker embeds  into user-visible content. When rendered, the browser issues an HTTP GET to the attacker's host, transmitting whatever context the attacker encoded into the URL.
The protection is not applied consistently. AI bot tool result posts bypass the rendering restrictions and process markdown image syntax without sanitization. An authenticated attacker who can influence the content returned by an AI bot tool can inject image markdown that renders in the victim's client.
The issue is limited to confidentiality impact. It does not permit code execution, privilege escalation, or modification of server-side data.
Root Cause
The root cause is an incomplete protection mechanism [CWE-693]. Markdown rendering safeguards that block automatic remote image loading are enforced on standard post types but omitted for tool result posts generated by AI bot integrations. The rendering path for these posts trusts the tool output and passes markdown image references directly to the client renderer.
Attack Vector
Exploitation requires an authenticated Mattermost account and user interaction to view the malicious content. The attacker crafts input that causes an AI bot tool to return a result containing markdown image syntax pointing to an attacker-controlled URL. When any victim opens the channel or thread containing the tool result, their client fetches the image, revealing session context, IP address, referer data, or other information encoded in the URL.
No verified public exploit or proof-of-concept is available for CVE-2026-3472. Refer to the Mattermost Security Updates advisory for technical details.
Detection Methods for CVE-2026-3472
Indicators of Compromise
- Outbound HTTP or HTTPS requests from user browsers to unexpected external domains immediately after opening Mattermost channels containing AI bot activity.
- AI bot tool result posts containing markdown image syntax with query strings pointing to non-corporate hosts.
- Unusual DNS lookups from client endpoints correlated with Mattermost usage windows.
Detection Strategies
- Inspect the Mattermost Posts table for tool result records containing the substring 
