CVE-2026-4339

Name: CVE-2026-4339
Creator: NVD / NIST
Published: 2026-06-26T15:16:39.6+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.5/10

Last modified Jun 26, 2026

CVE-2026-4339 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. Mattermost versions 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, 11.5.x <= 11.5.6 fail to validate attachment URLs against internal or private IP ranges in the Mattermost Agents plugin MCP server which allows an attacker with access to the MCP server in stdio mode to perform server-side request forgery (SSRF) and exfiltrate data from internal network services via supplying internal URLs as file attachments in post creation requests.. Mattermost Advisory ID: MMSA-2026-00635.

Description

Mattermost versions 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, 11.5.x <= 11.5.6 fail to validate attachment URLs against internal or private IP ranges in the Mattermost Agents plugin MCP server which allows an attacker with access to the MCP server in stdio mode to perform server-side request forgery (SSRF) and exfiltrate data from internal network services via supplying internal URLs as file attachments in post creation requests.. Mattermost Advisory ID: MMSA-2026-00635

Metrics

CVSS 3.1

6.5/10

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Weakness Enumeration

CWE-918

References

https://mattermost.com/security-updates

Timeline

Published: Jun 26, 2026
Last Modified: Jun 26, 2026
Status: Undergoing Analysis

Frequently Asked Questions

What is CVE-2026-4339?

How severe is CVE-2026-4339?

CVE-2026-4339 has a CVSS score of 6.5/10 (MEDIUM severity).

How do I fix CVE-2026-4339?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-4339?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST