CVE-2026-4339

Source
https://cve.org/CVERecord?id=CVE-2026-4339
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-4339.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-4339
Published
2026-06-26T14:44:58.655Z
Modified
2026-07-08T08:13:29.199224454Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
Summary
SSRF via unvalidated attachment URLs in Mattermost Agents plugin MCP server
Details

Mattermost versions 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, 11.5.x <= 11.5.6 fail to validate attachment URLs against internal or private IP ranges in the Mattermost Agents plugin MCP server which allows an attacker with access to the MCP server in stdio mode to perform server-side request forgery (SSRF) and exfiltrate data from internal network services via supplying internal URLs as file attachments in post creation requests.. Mattermost Advisory ID: MMSA-2026-00635

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "10.11.0"
                },
                {
                    "last_affected": "10.11.18"
                },
                {
                    "introduced": "11.6.0"
                },
                {
                    "last_affected": "11.6.3"
                },
                {
                    "introduced": "11.5.0"
                },
                {
                    "last_affected": "11.5.6"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/4xxx/CVE-2026-4339.json",
    "cna_assigner": "Mattermost",
    "cwe_ids": [
        "CWE-918"
    ]
}
References

Affected packages

Git / github.com/mattermost/mattermost

Affected ranges

Type
GIT
Repo
https://github.com/mattermost/mattermost
Events
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "10.11.0"
        },
        {
            "fixed": "10.11.19"
        },
        {
            "introduced": "11.5.0"
        },
        {
            "fixed": "11.5.7"
        },
        {
            "introduced": "11.6.0"
        },
        {
            "fixed": "11.6.4"
        }
    ]
}

Affected versions

@mattermost/client@10.*
@mattermost/client@10.11.0
@mattermost/types@10.*
@mattermost/types@10.11.0
mattermost-redux@10.*
mattermost-redux@10.11.0
v10.*
v10.11.0
v10.11.0-rc3
v10.11.1
v10.11.1-rc1
v10.11.10
v10.11.11
v10.11.11-rc1
v10.11.11-rc2
v10.11.12
v10.11.13
v10.11.13-rc1
v10.11.14
v10.11.14-rc1
v10.11.15
v10.11.15-rc1
v10.11.16
v10.11.17
v10.11.18
v10.11.19-rc1
v10.11.2
v10.11.2-rc1
v10.11.2-rc2
v10.11.3
v10.11.4
v10.11.4-rc1
v10.11.4-rc2
v10.11.4-rc3
v10.11.5
v10.11.6
v10.11.7
v10.11.8
v10.11.9
v10.11.9-rc1
v11.*
v11.5.0
v11.5.1
v11.5.2
v11.5.2-rc1
v11.5.2-rc2
v11.5.2-rc3
v11.5.3
v11.5.4
v11.5.5
v11.5.6
v11.6.0
v11.6.1
v11.6.1-rc1
v11.6.2
v11.6.3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-4339.json"