CVE-2026-6517 - Vulnerability Details

- Mattermost Desktop App fails to restrict the allow list of domains which NTLM credentials are passed

Description

Mattermost Desktop App versions <=6.1 5.5.13.0 fail to restrict the allow list of domains to which NTLM credentials were forwarded to in the Mattermost Desktop App which allows any user on a server without the image proxy enabled to intercept other users credentials via embedding an image that routes to an external web server. Mattermost Advisory ID: MMSA-2026-00651

Published: 2026-06-15

Score: 6.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows an attacker to have the desktop application forward NTLM credentials to an attacker-controlled domain that is not on a restricted allow list. The attack can lead to credential theft and subsequent impersonation of legitimate users. The weakness is a failure to enforce a domain allow list, falling under the CWE-522 "Information Exposure Through Unrestricted Credentials".

Affected Systems

Mattermost Desktop App versions up to 6.1 and 5.5.13.0 are affected. Users running these releases should upgrade to version 6.2.0, 5.13.6.0 or later to remediate the issue.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity. The EPSS score is not available, suggesting uncertainty about current exploitation probability. It is not listed in CISA’s KEV catalog, so no active exploits are known at the time of analysis. Based on the description, the likely attack vector is via an embedded image embedded in a message that routes through the client to an attacker‑controlled server, allowing the Credentials to be intercepted.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mattermost

unaffected

Version	Status	Constraints
`0`	affected	≤ 5.5.13
`6.2.0`	unaffected	—
`5.13.6.0`	unaffected	—

Configuration 1 [-]

OR	cpe:2.3:a:mattermost:mattermost_desktop::-::::::*
	cpe:2.3:a:mattermost:mattermost_desktop::::::::

No data.

Vendor Product Confidence Versions

Mattermost

100%

Version	Status	Scheme	Platform
`[0,5.5.13]`	affected	semver	—
`6.2.0`	unaffected	semver	—
`5.13.6.0`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Update Mattermost Desktop App to versions 6.2.0, 5.13.6.0 or higher.

OpenCVE Recommended Actions

Upgrade to Mattermost Desktop App 6.2.0, 5.13.6.0 or newer.
Enable the image proxy setting on the Mattermost server to block NTLM credential forwarding to external domains.
Configure a restrictive domain allow list or disable image loading from external domains within the desktop client to prevent credential leakage.

Generated by OpenCVE AI on June 16, 2026 at 02:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00185.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://mattermost.com/security-updates

History

Tue, 16 Jun 2026 17:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mattermost mattermost Desktop
CPEs		cpe:2.3:a:mattermost:mattermost_desktop:::::::: cpe:2.3:a:mattermost:mattermost_desktop::-::::::*
Vendors & Products		Mattermost mattermost Desktop

Tue, 16 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mattermost Mattermost mattermost
Vendors & Products		Mattermost Mattermost mattermost

Mon, 15 Jun 2026 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 15 Jun 2026 14:00:00 +0000

Type	Values Removed	Values Added
Description		Mattermost Desktop App versions <=6.1 5.5.13.0 fail to restrict the allow list of domains to which NTLM credentials were forwarded to in the Mattermost Desktop App which allows any user on a server without the image proxy enabled to intercept other users credentials via embedding an image that routes to an external web server. Mattermost Advisory ID: MMSA-2026-00651
Title		Mattermost Desktop App fails to restrict the allow list of domains which NTLM credentials are passed
Weaknesses		CWE-522
References		https://mattermost.com/security-updates
Metrics		cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N'}`

Subscriptions

Mattermost Mattermost Mattermost Desktop

MITRE

Status: PUBLISHED

Assigner: Mattermost

Published: 2026-06-15T13:55:25.742Z

Updated: 2026-06-15T16:00:00.919Z

Reserved: 2026-04-17T14:25:10.246Z

Link: CVE-2026-6517

Vulnrichment

Updated: 2026-06-15T15:59:52.206Z

NVD

Status : Analyzed

Published: 2026-06-15T14:16:37.910

Modified: 2026-06-16T16:54:47.653

Link: CVE-2026-6517

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-16T09:00:06Z

Weaknesses

CWE-522
Insufficiently Protected Credentials

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object