GHSA-p3qg-h7r3-79xr
Mattermost versions 10.11.x up to 10.11.18, 11.6.x up to 11.6.3, and 11.5.x up to 11.5.6 contain a vulnerability in the Mattermost Agents plugin MCP server. The vulnerability allows an attacker with access to the MCP server in stdio mode to perform server-side request forgery (SSRF) by supplying internal URLs as file attachments in post creation requests. This occurs because the plugin fails to validate attachment URLs against internal or private IP ranges. The vulnerability can lead to exfiltration of data from internal network services.
AI Analysis
Technical Summary
CVE-2026-4339 affects Mattermost Agents plugin MCP server in specific versions of Mattermost (10.11.x <= 10.11.18, 11.6.x <= 11.6.3, 11.5.x <= 11.5.6). The issue is a failure to validate attachment URLs against internal or private IP ranges, enabling an attacker with MCP server stdio mode access to perform SSRF attacks. This allows the attacker to exfiltrate data from internal network services by supplying internal URLs as file attachments during post creation requests. The CVSS 3.1 vector is AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, indicating local attack vector, low complexity, low privileges required, no user interaction, scope changed, high confidentiality impact, no integrity or availability impact. No known exploits in the wild have been reported. The vulnerability is classified as CWE-918 (Server-Side Request Forgery).
Potential Impact
An attacker with access to the MCP server in stdio mode can exploit this vulnerability to perform SSRF attacks, potentially exfiltrating sensitive data from internal network services. The confidentiality impact is high, but integrity and availability are not affected. The attack requires local access with low privileges and no user interaction.
Mitigation Recommendations
Patch status is not yet confirmed — check the Mattermost Advisory MMSA-2026-00635 for current remediation guidance. Since no patch links are provided, users should monitor official vendor advisories for updates. Restricting access to the MCP server in stdio mode and validating attachment URLs against internal IP ranges can help mitigate risk until an official fix is available.
GHSA-p3qg-h7r3-79xr
Description
Mattermost versions 10.11.x up to 10.11.18, 11.6.x up to 11.6.3, and 11.5.x up to 11.5.6 contain a vulnerability in the Mattermost Agents plugin MCP server. The vulnerability allows an attacker with access to the MCP server in stdio mode to perform server-side request forgery (SSRF) by supplying internal URLs as file attachments in post creation requests. This occurs because the plugin fails to validate attachment URLs against internal or private IP ranges. The vulnerability can lead to exfiltration of data from internal network services.
CVSS v3.1
Affected software
pkg:github/mattermost/mattermost-serverRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-4339 affects Mattermost Agents plugin MCP server in specific versions of Mattermost (10.11.x <= 10.11.18, 11.6.x <= 11.6.3, 11.5.x <= 11.5.6). The issue is a failure to validate attachment URLs against internal or private IP ranges, enabling an attacker with MCP server stdio mode access to perform SSRF attacks. This allows the attacker to exfiltrate data from internal network services by supplying internal URLs as file attachments during post creation requests. The CVSS 3.1 vector is AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, indicating local attack vector, low complexity, low privileges required, no user interaction, scope changed, high confidentiality impact, no integrity or availability impact. No known exploits in the wild have been reported. The vulnerability is classified as CWE-918 (Server-Side Request Forgery).
Potential Impact
An attacker with access to the MCP server in stdio mode can exploit this vulnerability to perform SSRF attacks, potentially exfiltrating sensitive data from internal network services. The confidentiality impact is high, but integrity and availability are not affected. The attack requires local access with low privileges and no user interaction.
Mitigation Recommendations
Patch status is not yet confirmed — check the Mattermost Advisory MMSA-2026-00635 for current remediation guidance. Since no patch links are provided, users should monitor official vendor advisories for updates. Restricting access to the MCP server in stdio mode and validating attachment URLs against internal IP ranges can help mitigate risk until an official fix is available.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-p3qg-h7r3-79xr
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-4339"]
- Ecosystems
- []
- Database Specific Severity
- MODERATE
- Cvss Version
- 3.1
Threat ID: 6a3ef7a327e9c79719ffb0bb
Added to database: 06/26/2026, 22:05:23 UTC
Last enriched: 06/26/2026, 22:23:25 UTC
Last updated: 06/27/2026, 00:51:13 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.