CVE-2026-6517 Overview
CVE-2026-6517 affects Mattermost Desktop App versions <=6.1 5.5.13.0. The application fails to restrict the allow list of domains to which NTLM (NT LAN Manager) credentials are forwarded. Any authenticated user on a Mattermost server that does not have the image proxy enabled can intercept other users' NTLM credentials. The attacker embeds an image that routes to an external web server they control, triggering automatic credential forwarding from victim clients. Mattermost tracks this issue as advisory MMSA-2026-00651. The weakness is categorized as [CWE-522] Insufficiently Protected Credentials.
Critical Impact
Authenticated users can harvest other users' NTLM credentials by embedding malicious images, enabling offline hash cracking or relay attacks against corporate identity systems.
Affected Products
- Mattermost Desktop App versions <=6.1 5.5.13.0
- Deployments without the Mattermost image proxy enabled
- Windows endpoints where NTLM authentication is active
Discovery Timeline
- 2026-06-15 - CVE-2026-6517 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-6517
Vulnerability Analysis
The Mattermost Desktop App renders inline image content embedded in messages. On Windows hosts, the underlying network stack automatically responds to NTLM authentication challenges when requesting resources from external servers. Without a strict allow list governing which destinations may receive NTLM credentials, the desktop client forwards the user's NTLMv2 hash to attacker-controlled hosts. An adversary on the same Mattermost server posts a message containing an image URL pointing to their server. When the victim's desktop client fetches that image, Windows performs the NTLM handshake and leaks the hash. The image proxy feature, when enabled, prevents this by retrieving images server-side, but many deployments leave it disabled.
Root Cause
The root cause is missing domain validation before NTLM credentials are released. The desktop application trusts any URL embedded in chat content and allows the operating system to attempt authenticated fetches against arbitrary destinations. This maps to [CWE-522] Insufficiently Protected Credentials.
Attack Vector
Exploitation requires only low-privileged access to a Mattermost server. The attacker posts a message containing a Markdown image reference such as . When viewed by a desktop client, the request triggers NTLM authentication against the attacker host. Captured Net-NTLMv2 hashes can be cracked offline or relayed against internal services such as SMB or LDAP.
// No verified public exploit code is available.
// See the Mattermost security advisory MMSA-2026-00651 for technical details.
Detection Methods for CVE-2026-6517
Indicators of Compromise
- Outbound HTTP or HTTPS requests from Mattermost.exe to untrusted external domains carrying Authorization: NTLM or Authorization: Negotiate headers.
- Messages in Mattermost channels containing externally hosted images with unusual or one-off domains.
- Authentication events on internal services showing NTLM relay attempts originating from desktop client IP addresses.
Detection Strategies
- Inspect proxy and firewall logs for NTLM handshake traffic initiated by the Mattermost desktop process.
- Hunt for image links in Mattermost message exports that resolve to non-corporate domains.
- Correlate Windows Security event 4624 Logon Type 3 entries with desktop client activity to detect relay attempts.
Monitoring Recommendations
- Enable network egress monitoring for the Mattermost desktop binary and alert on NTLM challenge responses leaving the perimeter.
- Audit Mattermost server configuration to verify whether the image proxy is enabled across all deployments.
- Monitor authentication telemetry for anomalous NTLM activity originating from workstations running the desktop client.
How to Mitigate CVE-2026-6517
Immediate Actions Required
- Upgrade the Mattermost Desktop App to a release that postdates version 6.1 5.5.13.0 and includes the MMSA-2026-00651 fix.
- Enable the Mattermost image proxy on all servers to ensure images are fetched server-side rather than by clients.
- Block outbound NTLM authentication at the perimeter firewall to prevent credential leakage to internet hosts.
Patch Information
Mattermost has published remediation guidance under advisory MMSA-2026-00651. Refer to the Mattermost Security Updates page for fixed versions and release notes.
Workarounds
- Enable ServiceSettings.ImageProxyType on the Mattermost server so that image content is proxied and client-side fetches to attacker domains do not occur.
- Apply Windows Group Policy Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers set to Deny all or Audit all to suppress outbound NTLM authentication.
- Restrict the Mattermost desktop process from reaching arbitrary external hosts using endpoint firewall rules until patching is complete.
# Windows registry workaround to block outbound NTLM authentication
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" /v RestrictSendingNTLMTraffic /t REG_DWORD /d 2 /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

