Description
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail prevent disclosure of created user password which allows a malicious attacker to impersonate a user via the use of some of those passwords.. Mattermost Advisory ID: MMSA-2026-00614
Published: 2026-05-18
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mattermost versions 11.5.x through 11.5.1, 10.11.x through 10.11.13, and 11.4.x through 11.4.3 fail to prevent the disclosure of newly created user passwords. The vulnerability enables a malicious actor who obtains any of the exposed passwords to impersonate users by logging in with those credentials. The weakness is categorized as CWE-522, which denotes an information exposure through credential disclosure.

Affected Systems

The affected system is Mattermost’s collaboration platform, specifically the community or enterprise editions running the vulnerable versions listed above. Administrators should verify whether their installations belong to the affected series (11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3).

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity vulnerability. The EPSS score is currently not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local to the Mattermost installation, requiring access to user command or API capabilities that trigger the Slack import process. An attacker with administrative or privileged API permissions could exploit the fault to extract passwords and subsequently impersonate users, leading to potential data compromise or unauthorized actions within the workspace.

Generated by OpenCVE AI on May 18, 2026 at 10:22 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.6.0, 11.5.2, 10.11.14, 11.4.4 or higher.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch by upgrading Mattermost to at least version 11.6.0, 11.5.2, 10.11.14, or 11.4.4, as recommended in the advisory.
  • If an upgrade cannot be performed immediately, enforce a password reset for all users that may have created accounts via the Slack import to eliminate the exposed credentials.
  • Disable or restrict the Slack import feature until the software is patched to prevent further credential disclosure and reduce the risk surface.

Generated by OpenCVE AI on May 18, 2026 at 10:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Mon, 18 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Mon, 18 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail prevent disclosure of created user password which allows a malicious attacker to impersonate a user via the use of some of those passwords.. Mattermost Advisory ID: MMSA-2026-00614
Title Prevent password disclosure and force reset during Slack import
Weaknesses CWE-522
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-05-18T08:40:00.821Z

Reserved: 2026-04-15T10:44:28.488Z

Link: CVE-2026-6345

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-18T09:16:23.853

Modified: 2026-05-18T09:16:23.853

Link: CVE-2026-6345

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T10:30:23Z

Weaknesses