CVE-2026-4339 Mattermost CVE debrief

Who should care

Organizations using Mattermost Server versions 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, and 11.5.x <= 11.5.6 should prioritize patching this vulnerability to prevent potential SSRF attacks. Security teams and administrators responsible for maintaining Mattermost installations should be aware of this vulnerability and take necessary actions to mitigate the risk.

Technical summary

The vulnerability exists in the Mattermost Agents plugin MCP server, which fails to validate attachment URLs against internal or private IP ranges. This allows an attacker to perform SSRF attacks by supplying internal URLs as file attachments in post creation requests. The vulnerability has a CVSS score of 6.5 and is classified as CWE-918. Affected versions include Mattermost Server 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, and 11.5.x <= 11.5.6.

Defensive priority

Patching this vulnerability is of medium priority due to its CVSS score of 6.5. Organizations should apply the patches as soon as possible to prevent potential SSRF attacks.

Recommended defensive actions

• Apply patches for Mattermost Server versions 10.11.x, 11.6.x, and 11.5.x to address the vulnerability.
• Restrict access to the MCP server in stdio mode to prevent unauthorized access.
• Monitor Mattermost Server logs for suspicious activity related to SSRF attacks.
• Implement additional security measures, such as IP range validation, to prevent SSRF attacks.
• Review and update incident response plans to address potential SSRF attacks.

Evidence notes

The vulnerability is documented in the CVE-2026-4339 record and the Mattermost Advisory ID: MMSA-2026-00635. The NVD provides detailed information about the vulnerability, including its CVSS score and affected versions.

Official resources