CVE-2026-6347 Overview
CVE-2026-6347 is an information disclosure vulnerability in Mattermost Server affecting the Mattermost Calls plugin. The flaw stems from improper sanitization of sensitive configuration fields when generating support packets. An attacker with access to a support packet can extract Traversal Using Relays around NAT (TURN) server credentials in plaintext from the exported plugin configuration. The issue is tracked under Mattermost Advisory ID MMSA-2026-00605 and categorized as [CWE-200] Exposure of Sensitive Information to an Unauthorized Actor.
Critical Impact
Disclosure of TURN server credentials enables unauthorized relay use, potential call interception, and abuse of the customer's media infrastructure.
Affected Products
- Mattermost Server versions 11.5.x up to and including 11.5.1
- Mattermost Server versions 11.4.x up to and including 11.4.3
- Mattermost Server versions 10.11.x up to and including 10.11.13
Discovery Timeline
- 2026-05-18 - CVE-2026-6347 published to the National Vulnerability Database (NVD)
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-6347
Vulnerability Analysis
The vulnerability resides in the Mattermost Calls plugin support packet generation logic. Support packets are diagnostic bundles that administrators export to troubleshoot server issues. These packets include plugin configuration data intended for support engineers.
The Calls plugin stores TURN server credentials used to relay WebRTC media when peers cannot connect directly. The packet exporter fails to redact or mask these sensitive fields before writing them to the bundle. As a result, plaintext TURN credentials appear in the exported configuration.
An authenticated attacker with high privileges who can request or retrieve a support packet obtains these credentials directly. The scope is changed because compromised TURN credentials extend impact beyond the Mattermost server to the third-party relay infrastructure.
Root Cause
The root cause is missing sanitization of sensitive configuration fields in the Mattermost Calls plugin export routine. Fields containing TURN authentication secrets are serialized verbatim rather than being masked, removed, or replaced with placeholder values.
Attack Vector
The attack requires network access to the Mattermost server and elevated privileges sufficient to obtain a support packet. Once the attacker downloads or intercepts the packet, they parse the plugin configuration section and extract the TURN credentials. No user interaction is required. The credentials can then be replayed against the TURN service to relay arbitrary media or exhaust quota.
No verified proof-of-concept code is publicly available. The vulnerability mechanism is described in the Mattermost security advisory.
Detection Methods for CVE-2026-6347
Indicators of Compromise
- Support packet downloads from accounts that do not normally perform diagnostic exports.
- Unexpected TURN server authentication events originating from external or unrecognized client IP addresses.
- Spikes in TURN relay bandwidth consumption not correlated with active Mattermost call sessions.
Detection Strategies
- Audit Mattermost administrative logs for GetSupportPacket or equivalent support bundle export actions and correlate against expected administrator activity.
- Inspect archived support packets for the presence of plaintext TURN credentials to assess past exposure.
- Monitor TURN server logs for authentication anomalies, including geographic outliers and credential reuse from multiple sources.
Monitoring Recommendations
- Enable centralized logging of all Mattermost admin API calls and forward to a security information and event management (SIEM) platform.
- Alert on any export of support packets outside of approved change windows or by non-administrator accounts.
- Track TURN server usage metrics and baseline normal session volume to detect credential abuse.
How to Mitigate CVE-2026-6347
Immediate Actions Required
- Upgrade Mattermost Server to a patched release beyond 11.5.1, 11.4.3, or 10.11.13 as listed in the Mattermost Security Advisory.
- Rotate all TURN server credentials configured in the Mattermost Calls plugin if any support packet has been generated on a vulnerable version.
- Review and restrict the set of accounts holding the System Admin role and the ability to export support packets.
Patch Information
Mattermost has released fixed versions addressing MMSA-2026-00605. Administrators should consult the Mattermost Security Updates page for the specific fixed build numbers and upgrade guidance applicable to their deployment branch.
Workarounds
- Avoid generating or sharing support packets from vulnerable versions until the upgrade is applied.
- If a support packet must be shared, manually inspect and redact the Calls plugin configuration section to remove TURN credentials before transmission.
- Restrict access to existing archived support packets stored in ticketing systems, shared drives, or backup repositories.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
