SSRF via unvalidated attachment URLs in Mattermost Agents plugin MCP server
Summary
| CVE | CVE-2026-4339 |
|---|---|
| State | PUBLISHED |
| Assigner | Mattermost |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-26 15:16:39 UTC |
| Updated | 2026-06-29 19:26:34 UTC |
| Description | Mattermost versions 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, 11.5.x <= 11.5.6 fail to validate attachment URLs against internal or private IP ranges in the Mattermost Agents plugin MCP server which allows an attacker with access to the MCP server in stdio mode to perform server-side request forgery (SSRF) and exfiltrate data from internal network services via supplying internal URLs as file attachments in post creation requests.. Mattermost Advisory ID: MMSA-2026-00635 |
Risk And Classification
Primary CVSS: v3.1 6.5 MEDIUM from [email protected]
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
EPSS: 0.001040000 probability, percentile 0.012320000 (date 2026-06-29)
Problem Types: CWE-918 | CWE-918 CWE-918: Server-Side Request Forgery (SSRF)
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 6.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
| 3.1 | CNA | CVSS | 6.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
ChangedConfidentiality
HighIntegrity
NoneAvailability
NoneCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Mattermost | Mattermost Server | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Mattermost | Mattermost | affected 10.11.0 10.11.18 semver | Not specified |
| CNA | Mattermost | Mattermost | affected 11.6.0 11.6.3 semver | Not specified |
| CNA | Mattermost | Mattermost | affected 11.5.0 11.5.6 semver | Not specified |
| CNA | Mattermost | Mattermost | unaffected 11.7.0 | Not specified |
| CNA | Mattermost | Mattermost | unaffected 10.11.19 | Not specified |
| CNA | Mattermost | Mattermost | unaffected 11.6.4 | Not specified |
| CNA | Mattermost | Mattermost | unaffected 11.5.7 | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| mattermost.com/security-updates | [email protected] | mattermost.com | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: s00me00ne (en)
Additional Advisory Data
Solutions
CNA: Update Mattermost to versions 11.7.0, 10.11.19, 11.6.4, 11.5.7 or higher.
There are currently no legacy QID mappings associated with this CVE.