GHSA-wvgv-4fc3-2rcpMediumCVSS 6.5

Mattermost doesn't prevent disclosure of created user password

Published
May 18, 2026
Last Modified
June 1, 2026

🔗 CVE IDs covered (1)

CVE-2026-6345

📋 Description

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 doesn't prevent disclosure of created user password which allows a malicious attacker to impersonate a user via the use of some of those passwords.. Mattermost Advisory ID: MMSA-2026-00614

🎯 Affected products5

  • go/github.com/mattermost/mattermost/server/v8:>= 11.5.0, < 11.5.2
  • go/github.com/mattermost/mattermost/server/v8:>= 10.11.0, < 10.11.14
  • go/github.com/mattermost/mattermost/server/v8:>= 11.4.0, < 11.4.4
  • go/github.com/mattermost/mattermost/server/v8:< 8.0.0-20260311102650-3057ae7e83e9
  • go/github.com/mattermost/mattermost-server:< 5.3.2-0.20260311102650-3057ae7e83e9

🔗 References (4)