CVE-2026-6346 Mattermost CVE debrief

Who should care

Mattermost system administrators, security teams, and support staff who create, download, or share support packets from the System Console on affected Mattermost Server releases.

Technical summary

According to the vendor-referenced advisory and NVD record, Mattermost Server failed to sanitize sensitive configuration fields before including them in support packet generation. The affected release ranges are 10.11.0 through 10.11.13, 11.4.0 through 11.4.3, and 11.5.0 through 11.5.1. The NVD entry lists CVSS v3.1 8.7 HIGH with vector AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).

Defensive priority

High — the issue requires privileged access, but it can expose plaintext credentials and other sensitive configuration data in support packets.

Recommended defensive actions

• Upgrade Mattermost Server to 10.11.14 or later, 11.4.4 or later, or 11.5.2 or later.
• Review any support packets generated on affected versions and treat them as potentially containing plaintext credentials.
• Rotate or revoke any credentials or secrets that may have been included in previously generated or shared support packets.
• Restrict System Console and support packet access to the minimum necessary administrators and support personnel.
• Use the vendor security-updates page and the NVD record to confirm the affected release line before scheduling remediation.

Evidence notes

This debrief is based on the official NVD record for CVE-2026-6346 and the vendor advisory reference linked from NVD. The NVD entry states that Mattermost Server versions 10.11.0-10.11.13, 11.4.0-11.4.3, and 11.5.0-11.5.1 are vulnerable because sensitive configuration fields were not sanitized before support packet generation. NVD classifies the weakness as CWE-200 and assigns CVSS v3.1 8.7 HIGH (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N).

Official resources