CVE-2026-6346 Overview
CVE-2026-6346 is an information disclosure vulnerability in Mattermost Server that exposes sensitive configuration credentials in plaintext within generated support packets. The flaw affects Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, and 11.4.x <= 11.4.3. The server fails to sanitize sensitive configuration fields before bundling them into the support packet that System Admins can download from the System Console. Any party with access to a support packet, including System Admins or anyone who handles the file during a support workflow, can recover credentials that should remain protected. Mattermost tracks the issue as advisory MMSA-2026-00607 and classifies it under [CWE-200].
Critical Impact
An attacker or insider with support packet access can extract plaintext credentials, enabling further compromise of integrated systems such as databases, SMTP, LDAP, and external services.
Affected Products
- Mattermost Server 11.5.x through 11.5.1
- Mattermost Server 11.4.x through 11.4.3
- Mattermost Server 10.11.x through 10.11.13
Discovery Timeline
- 2026-05-18 - CVE-2026-6346 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-6346
Vulnerability Analysis
Mattermost generates support packets to help administrators share diagnostic data with the vendor or internal teams. The packet bundles server configuration, logs, and runtime metadata into a downloadable archive. The vulnerable releases include sensitive configuration fields in this archive without redaction. Credentials embedded in the configuration appear in plaintext inside the resulting file. The exposure spans secrets used to connect Mattermost to backend and integrated services. Because the System Console exposes the download action, any account or process able to invoke support packet generation can retrieve these secrets. The vulnerability is classified as Information Exposure under [CWE-200] and affects three concurrent release branches.
Root Cause
The root cause is missing sanitization in the support packet generation routine. Configuration serialization writes secret-bearing fields directly into the packet output rather than masking them. Mattermost typically obfuscates such fields, for example replacing values with a fixed placeholder, when emitting configuration to other surfaces. The support packet code path does not apply the same redaction logic, so secrets persist in plaintext.
Attack Vector
Exploitation requires high privileges, namely a Mattermost System Admin account or another path to a generated support packet. An attacker with these privileges navigates to the System Console, triggers a support packet download, and inspects the archive for credential fields. Alternatively, an attacker who intercepts a support packet shared through email, ticket attachments, or cloud storage can extract the same secrets. The scope is changed because credentials harvested from the packet can authorize the attacker against downstream systems outside Mattermost itself.
No public exploit code or proof-of-concept has been published. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, and the EPSS probability is 0.03%.
Detection Methods for CVE-2026-6346
Indicators of Compromise
- Support packet archive files (mattermost_support_packet_*.zip) created or downloaded by System Console users outside of scheduled support workflows.
- Audit log entries showing GET /api/v4/system/support_packet or equivalent support packet generation calls from unexpected admin accounts or source IP addresses.
- Outbound transfers of support packet archives to personal mail, file sharing, or external storage destinations.
Detection Strategies
- Review Mattermost audit logs for support packet generation events and correlate with the requesting admin identity, time of day, and originating IP.
- Inspect any retained support packets from affected versions for plaintext secrets, treating their presence as confirmation of exposure rather than active exploitation.
- Alert on privileged session activity in the System Console combined with file downloads from the diagnostics endpoints.
Monitoring Recommendations
- Forward Mattermost application and audit logs to a centralized SIEM and build queries that flag support packet creation by accounts that do not normally perform support tasks.
- Monitor data loss prevention (DLP) controls for archives matching the support packet naming convention leaving the corporate network.
- Track System Admin role assignments and authentication events to detect unauthorized elevation that could lead to packet generation.
How to Mitigate CVE-2026-6346
Immediate Actions Required
- Upgrade Mattermost Server to a fixed release above 11.5.1, 11.4.3, or 10.11.13 on the corresponding branch as published in the Mattermost Security Updates advisory.
- Rotate every credential stored in the Mattermost configuration, including database, SMTP, LDAP/AD bind, OAuth, S3, push notification, and webhook secrets.
- Locate and securely delete any existing support packets generated from affected versions, including copies in ticketing systems, mailboxes, and shared drives.
- Audit System Admin role membership and remove accounts that do not require that privilege.
Patch Information
Mattermost addresses the issue under advisory MMSA-2026-00607. Apply the fixed builds documented in the Mattermost Security Updates portal that supersede 11.5.1, 11.4.3, and 10.11.13. After patching, regenerate a test support packet and verify that sensitive fields are masked before reusing the support workflow.
Workarounds
- Restrict the System Admin role to a minimal set of accounts and require multi-factor authentication for all of them until the patch is applied.
- Disable or block administrative procedures that produce support packets on affected versions, and require vendor support to rely on targeted log exports instead.
- Treat any existing support packet as sensitive material, store it only in access-controlled locations, and purge it after use.
# Configuration example: rotate Mattermost secrets after patching
# 1. Stop the Mattermost service
sudo systemctl stop mattermost
# 2. Update sensitive fields in config.json (database, SMTP, LDAP, S3, etc.)
sudo vi /opt/mattermost/config/config.json
# 3. Restart the service and verify a freshly generated support
# packet no longer contains plaintext credentials
sudo systemctl start mattermost
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
