CVE-2026-6517 PUBLISHED

Mattermost Desktop App fails to restrict the allow list of domains which NTLM credentials are passed

Assigner: Mattermost
Reserved: 17.04.2026 Published: 15.06.2026 Updated: 15.06.2026

Mattermost Desktop App versions <=6.1 5.5.13.0 fail to restrict the allow list of domains to which NTLM credentials were forwarded to in the Mattermost Desktop App which allows any user on a server without the image proxy enabled to intercept other users credentials via embedding an image that routes to an external web server. Mattermost Advisory ID: MMSA-2026-00651

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
CVSS Score: 6.3

Attack Vector	Network	Scope	Changed
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Mattermost
Product	Mattermost
Versions	Default: unaffected affected from 0 to 5.5.13 (incl.) Version 6.2.0 is unaffected Version 5.13.6.0 is unaffected

Solutions

Update Mattermost Desktop App to versions 6.2.0, 5.13.6.0 or higher.

Credits

falke finder

References

MMSA-2026-00651

Problem Types

CWE-522: Insufficiently Protected Credentials CWE