Detections
Analytics

Mattermost Server 10.11.x <= 10.11.13 / 11.4.x <= 11.4.3 / 11.5.x <= 11.5.1 Multiple Vulnerabilities (MMSA-2026-00573 / MMSA-2026-00576 / MMSA-2026-00591 / MMSA-2026-00605 / MMSA-2026-00607 / MMSA-2026-00608 / MMSA-2026-00614 / MMSA-2026-00627)

medium Nessus Plugin ID 316492

Language:

Synopsis

The remote host is affected by multiple vulnerabilities.

Description

The version of Mattermost Server installed on the remote host is affected by multiple vulnerabilities:

 - Mattermost fails to sanitize sensitive configuration fields before including them in support packet generation, which allows a Mattermost System Admin or any party with access to a support packet to obtain sensitive credentials in plaintext via downloading a support packet from the System Console. Mattermost Advisory ID: MMSA-2026-00607. (CVE-2026-6346)

 - Mattermost fails to sanitize sensitive configuration fields in the Mattermost Calls plugin which allows an attacker with access to a support packet to obtain TURN server credentials via the plaintext values present in the exported plugin configuration. Mattermost Advisory ID: MMSA-2026-00605. (CVE-2026-6347)

 - Mattermost fails to prevent disclosure of created user password which allows a malicious attacker to impersonate a user via the use of some of those passwords. Mattermost Advisory ID: MMSA-2026-00614.
 (CVE-2026-6345)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Mattermost Server version 10.11.14, 11.4.4, 11.5.2, 11.6.0 or later.

See Also

https://mattermost.com/security-updates/

Plugin Details

Severity: Medium

ID: 316492

File Name: mattermost_server_MMSA-2026-00573_00576_00591_00605_00607_00608_00614_00627.nasl

Version: 1.2

Type: Remote

Family: CGI abuses

Published: 5/22/2026

Updated: 5/25/2026

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.1

CVSS v2

Risk Factor: High

Base Score: 7.7

Temporal Score: 5.7

Vector: CVSS2#AV:N/AC:L/Au:M/C:C/I:C/A:N

CVSS Score Source: CVE-2026-6346

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2026-6340

Vulnerability Information

CPE: cpe:/a:mattermost:mattermost_server

Required KB Items: installed_sw/Mattermost Server

Exploit Ease: No known exploits are available

Patch Publication Date: 4/15/2026

Vulnerability Publication Date: 4/15/2026

Reference Information

CVE: CVE-2026-2325, CVE-2026-28759, CVE-2026-3637, CVE-2026-6340, CVE-2026-6343, CVE-2026-6345, CVE-2026-6346, CVE-2026-6347

IAVA: 2026-A-0492