CVE-2026-6517

MEDIUM 6.3

Mattermost Desktop App fails to restrict the allow list of domains which NTLM credentials are passed

CVSS Score

6.3

EPSS Score

0.0%

EPSS Percentile

0th

Mattermost Desktop App versions <=6.1 5.5.13.0 fail to restrict the allow list of domains to which NTLM credentials were forwarded to in the Mattermost Desktop App which allows any user on a server without the image proxy enabled to intercept other users credentials via embedding an image that routes to an external web server. Mattermost Advisory ID: MMSA-2026-00651

CWE	CWE-522
Vendor	mattermost
Product	mattermost
Published	Jun 15, 2026

Stay Ahead of the Next One

Get instant alerts for mattermost mattermost

Be the first to know when new medium vulnerabilities affecting mattermost mattermost are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

Mattermost / Mattermost

0 ≤ 5.5.13

References

NVD ↗ CVE.org ↗ EPSS Data ↗

mattermost.com: https://mattermost.com/security-updates

Credits

falke