Impact
The Mattermost Desktop App does not enforce a domain allow list for NTLM credential forwarding, permitting any embedded image to be routed to external domains. An attacker can embed an image in a message that points to an attacker‑controlled server, causing the client to send NTLM credentials to that server. This flaw results in credential theft and enables the attacker to impersonate legitimate users. The weakness is a failure to restrict outbound credential transmission and is categorized as CWE-522.
Affected Systems
Mattermost Desktop App versions up to 6.1 and 5.5.13.0 are vulnerable. The application is distributed by Mattermost under the vendor name "Mattermost." Updating to version 6.2.0, 5.13.6.0 or later removes the flaw.
Risk and Exploitability
The CVSS score of 6.3 indicates moderate severity. The EPSS score is less than 1%, suggesting a very low probability of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog, and no active exploits are known. The likely attack vector involves the attacker embedding an image in a user’s message that the desktop client retrieves, forwarding credentials to an external domain.
OpenCVE Enrichment