CVE-2026-6345 Overview
CVE-2026-6345 affects Mattermost Server versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, and 11.4.x <= 11.4.3. The flaw fails to prevent disclosure of newly created user passwords. An authenticated attacker with high privileges can harvest these credentials and impersonate other users on the platform. Mattermost tracks this issue under advisory MMSA-2026-00614 and classifies it under CWE-522: Insufficiently Protected Credentials.
Critical Impact
Disclosed user passwords enable account impersonation, granting attackers access to private channels, direct messages, and integrations belonging to compromised users.
Affected Products
- Mattermost Server 11.5.x up to and including 11.5.1
- Mattermost Server 11.4.x up to and including 11.4.3
- Mattermost Server 10.11.x up to and including 10.11.13
Discovery Timeline
- 2026-05-18 - CVE-2026-6345 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-6345
Vulnerability Analysis
The vulnerability resides in the user creation workflow within Mattermost Server. The server fails to adequately protect passwords associated with newly created accounts. An attacker with elevated privileges can observe or retrieve these credentials through paths that should have masked or omitted sensitive data.
The Exploit Prediction Scoring System (EPSS) currently places this issue in the lower probability range for near-term exploitation. However, the impact remains high because successful exploitation yields valid credentials usable for direct authentication and impersonation.
Root Cause
The root cause is insufficient credential protection during user provisioning, mapped to CWE-522. Mattermost Server returns or stores the plaintext or recoverable form of user passwords in a location accessible to privileged callers. The server should redact password fields from API responses, logs, and administrative views following account creation.
Attack Vector
Exploitation requires network access to the Mattermost Server and an account with high privileges. The attacker invokes the user creation flow or queries related endpoints to capture credentials of accounts being provisioned. The attacker then authenticates as the impersonated user, gaining access to that user's messages, channels, and team resources. The attack does not require user interaction from the victim.
No public proof-of-concept code or exploit has been published. Refer to the Mattermost Security Updates advisory for vendor technical details.
Detection Methods for CVE-2026-6345
Indicators of Compromise
- Unexpected successful logins for recently created user accounts originating from IP addresses or devices that differ from the user's normal pattern.
- Audit log entries showing administrative API calls that enumerate or retrieve user account details shortly after account creation events.
- Session activity for new users occurring before the legitimate user has completed first-time login or password setup.
Detection Strategies
- Correlate Users.Create events with subsequent authentication events to flag accounts that log in from unexpected sources within a short interval.
- Inspect administrative and audit logs for high-frequency reads of user objects by privileged accounts, which may indicate credential harvesting.
- Monitor admin tokens and personal access tokens for anomalous query volume against user management endpoints.
Monitoring Recommendations
- Forward Mattermost audit logs to a centralized logging platform and alert on bulk user reads by administrative accounts.
- Track creation-to-login latency for new accounts and investigate accounts that authenticate immediately from non-corporate networks.
- Review privileged role assignments regularly and remove unused administrative accounts that could be abused to exploit this flaw.
How to Mitigate CVE-2026-6345
Immediate Actions Required
- Upgrade Mattermost Server to a fixed release above 11.5.1, 11.4.3, or 10.11.13 as published in the Mattermost Security Updates portal.
- Rotate passwords for any user accounts created on vulnerable versions, particularly those provisioned by administrators.
- Audit administrator and system admin role membership and revoke unnecessary high-privilege access.
Patch Information
Mattermost has issued patches addressed under advisory MMSA-2026-00614. Administrators should consult the Mattermost Security Updates page for the specific fixed version that aligns with their deployment branch and apply the upgrade following the vendor's documented procedure.
Workarounds
- Restrict administrative API access to trusted management networks using firewall rules or reverse proxy ACLs until patching is complete.
- Enforce multi-factor authentication for all users so that disclosed passwords alone are insufficient to impersonate an account.
- Disable or limit the creation of new accounts by non-essential administrators while remediation is underway.
# Verify the running Mattermost Server version before and after upgrade
mattermost version
# Example: check audit logs for user creation followed by rapid logins
grep -E 'Users.Create|UserLogin' /opt/mattermost/logs/audit.log
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
