PatchSiren cyber security CVE debrief
CVE-2026-6347 Mattermost CVE debrief
CVE-2026-6347 is a high-severity information disclosure issue in the Mattermost Calls plugin. In affected Mattermost releases, sensitive configuration fields are not properly sanitized when a support packet is generated, which can leave TURN server credentials in plaintext inside the exported plugin configuration. Anyone with access to that support packet could recover the credentials. The CVE was published on 2026-05-18, and NVD lists it as HIGH with a CVSS 3.1 score of 7.6.
- Vendor
- Mattermost
- Product
- Unknown
- CVSS
- HIGH 7.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-18
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-18
- Advisory updated
- 2026-05-18
Who should care
Mattermost administrators, security teams, and support staff handling exported support packets should care most. Organizations using the Mattermost Calls plugin in versions 11.5.x through 11.5.1, 10.11.x through 10.11.13, or 11.4.x through 11.4.3 should treat this as a credential exposure risk.
Technical summary
According to the CVE description and NVD metadata, the Mattermost Calls plugin fails to sanitize sensitive configuration fields in support packet exports. As a result, plaintext TURN server credentials may be included in the exported plugin configuration. NVD associates the issue with CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and provides the vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L. The core impact is confidentiality loss through unintended disclosure of authentication material.
Defensive priority
High. The issue exposes credentials rather than causing direct code execution, but leaked TURN server credentials can expand access and create follow-on risk in conferencing or relay infrastructure. Prioritize if your environment uses the Calls plugin or routinely shares support packets externally.
Recommended defensive actions
- Upgrade Mattermost to a fixed release outside the affected ranges for 11.5.x, 10.11.x, and 11.4.x.
- Review any previously shared support packets for the possibility that TURN credentials were exposed.
- Rotate any TURN server credentials that may have been present in exported support packets.
- Restrict who can generate, access, and transmit support packets.
- Treat support packets as sensitive artifacts and store or transfer them securely.
- Verify whether the Mattermost Calls plugin is deployed in your environment and whether its configuration includes secret values that could appear in exports.
Evidence notes
Evidence is limited to the supplied CVE/NVD corpus and the referenced Mattermost security updates page. The CVE description states that Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, and 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields in the Calls plugin, exposing TURN server credentials in plaintext inside support packet exports. NVD metadata lists CWE-200 and the CVSS vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L. The CVE publish and modified times are both 2026-05-18T09:16:24.143Z.
Official resources
-
CVE-2026-6347 CVE record
CVE.org
-
CVE-2026-6347 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
Published on 2026-05-18. The supplied source corpus does not include a separate public advisory text beyond the Mattermost security updates reference, so this debrief is limited to the CVE/NVD record and the referenced vendor page.