Description
Mattermost Desktop App versions <=6.1 5.5.13.0 fail to restrict the allow list of domains to which NTLM credentials were forwarded to in the Mattermost Desktop App which allows any user on a server without the image proxy enabled to intercept other users credentials via embedding an image that routes to an external web server. Mattermost Advisory ID: MMSA-2026-00651
Published: 2026-06-15
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Mattermost Desktop App does not enforce a domain allow list for NTLM credential forwarding, permitting any embedded image to be routed to external domains. An attacker can embed an image in a message that points to an attacker‑controlled server, causing the client to send NTLM credentials to that server. This flaw results in credential theft and enables the attacker to impersonate legitimate users. The weakness is a failure to restrict outbound credential transmission and is categorized as CWE-522.

Affected Systems

Mattermost Desktop App versions up to 6.1 and 5.5.13.0 are vulnerable. The application is distributed by Mattermost under the vendor name "Mattermost." Updating to version 6.2.0, 5.13.6.0 or later removes the flaw.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity. The EPSS score is less than 1%, suggesting a very low probability of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog, and no active exploits are known. The likely attack vector involves the attacker embedding an image in a user’s message that the desktop client retrieves, forwarding credentials to an external domain.

Generated by OpenCVE AI on June 18, 2026 at 01:23 UTC.

Remediation

Vendor Solution

Update Mattermost Desktop App to versions 6.2.0, 5.13.6.0 or higher.


OpenCVE Recommended Actions

  • Upgrade to Mattermost Desktop App 6.2.0, 5.13.6.0 or newer.
  • If an upgrade is not immediately possible, enable the image proxy feature on the Mattermost server to block external image requests from the client.
  • Additionally, configure network or local group policy rules to restrict or block outbound NTLM authentication from the client to untrusted external domains, ensuring NTLM credentials are not sent to attackers' servers.

Generated by OpenCVE AI on June 18, 2026 at 01:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
History

Tue, 16 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost mattermost Desktop
CPEs cpe:2.3:a:mattermost:mattermost_desktop:*:*:*:*:*:*:*:*
cpe:2.3:a:mattermost:mattermost_desktop:*:-:*:*:*:*:*:*
Vendors & Products Mattermost mattermost Desktop

Tue, 16 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Mon, 15 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Mattermost Desktop App versions <=6.1 5.5.13.0 fail to restrict the allow list of domains to which NTLM credentials were forwarded to in the Mattermost Desktop App which allows any user on a server without the image proxy enabled to intercept other users credentials via embedding an image that routes to an external web server. Mattermost Advisory ID: MMSA-2026-00651
Title Mattermost Desktop App fails to restrict the allow list of domains which NTLM credentials are passed
Weaknesses CWE-522
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N'}


Subscriptions

Mattermost Mattermost Mattermost Desktop
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-06-15T16:00:00.919Z

Reserved: 2026-04-17T14:25:10.246Z

Link: CVE-2026-6517

cve-icon Vulnrichment

Updated: 2026-06-15T15:59:52.206Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-15T14:16:37.910

Modified: 2026-06-16T16:54:47.653

Link: CVE-2026-6517

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T01:30:15Z

Weaknesses
  • CWE-522

    Insufficiently Protected Credentials