Description
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields in the Mattermost Calls plugin which allows an attacker with access to a support packet to obtain TURN server credentials via the plaintext values present in the exported plugin configuration.. Mattermost Advisory ID: MMSA-2026-00605
Published: 2026-05-18
Score: 7.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs when the Mattermost Calls plugin fails to sanitize sensitive configuration fields. Exported plugin configuration in support packets contains plaintext TURN server credentials, allowing an attacker who can access a support packet to obtain these credentials. Availability is not directly impacted, but confidentiality and integrity of the TURN service can be compromised, potentially enabling traffic interception or manipulation.

Affected Systems

Mattermost’s Mattermost Calls plugin is affected in the following versions: 11.5.x through 11.5.1, 10.11.x through 10.11.13, and 11.4.x through 11.4.3.

Risk and Exploitability

The CVSS score of 7.6 categorises the flaw as high severity. The EPSS score is unavailable, and the vulnerability is not listed in CISA’s KEV database, suggesting no known widespread exploitation. The attack vector requires an adversary who can access a support packet, which typically implies either local or remote privileged access or the ability to intercept support traffic. Because the exposed credentials grant the attacker direct authentication to the TURN server, the impact can be significant if the TURN server is used for real‑time communication. Prompt patching mitigates the risk.

Generated by OpenCVE AI on May 18, 2026 at 10:23 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.6.0, 11.5.2, 10.11.14, 11.4.4 or higher.

OpenCVE Recommended Actions

  • Upgrade Mattermost to 11.6.0, 11.5.2, 10.11.14, 11.4.4 or a newer version that includes the fix.
  • If an immediate upgrade is not possible, restrict access to support packets and ensure that sensitive configuration data is not exported or transmitted in plain text.
  • Verify that the Mattermost Calls plugin is disabled or reconfigured to prevent exporting TURN credentials until the patch is applied.

Generated by OpenCVE AI on May 18, 2026 at 10:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Mon, 18 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Mon, 18 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields in the Mattermost Calls plugin which allows an attacker with access to a support packet to obtain TURN server credentials via the plaintext values present in the exported plugin configuration.. Mattermost Advisory ID: MMSA-2026-00605
Title Mattermost Calls plugin exposes TURN server credentials in plaintext in support packets
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-05-18T08:30:41.433Z

Reserved: 2026-04-15T10:54:40.759Z

Link: CVE-2026-6347

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-18T09:16:24.143

Modified: 2026-05-18T09:16:24.143

Link: CVE-2026-6347

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T10:30:23Z

Weaknesses