Mattermost Support Packets Expose Sensitive Configuration Credentials

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields before including them in support packet generation, which allows a Mattermost System Admin or any party with access to a support packet to obtain sensitive credentials in plaintext via downloading a support packet from the System Console.. Mattermost Advisory ID: MMSA-2026-00607

Casky was already ahead

This CVE exploits attack patterns that Casky's 261matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.

Analysis

Mattermost versions 11.5.x through 11.5.1, 10.11.x through 10.11.13, and 11.4.x through 11.4.3 contain a critical information disclosure vulnerability in their support packet generation process. The vulnerability stems from insufficient sanitization of sensitive configuration fields before they are bundled into support packets, allowing System Administrators or anyone with access to downloaded support packets to extract plaintext credentials and other sensitive data. This affects organizations relying on Mattermost for team communication and collaboration, as the support packet feature—typically intended for diagnostic purposes—becomes a vector for credential exposure. The threat is particularly acute because System Admins legitimately access these packets for troubleshooting, and the compromised credentials could grant attackers direct access to critical systems and services configured within Mattermost.

Casky's skill mapping to MITRE ATT&CK techniques TA0043 (Reconnaissance) and TA0009 (Collection) enables detection of this vulnerability's exploitation patterns across your security posture. The 261 matching skills leverage Claude's extended reasoning to identify telemetry associated with suspicious support packet downloads from the System Console, anomalous administrative access patterns, and lateral movement attempts using credentials extracted from support packets. Practitioners would observe findings highlighting unauthorized or unusual support packet generation requests, potential exfiltration of configuration data, and correlation with subsequent credential usage across infrastructure—all mapped to Collection techniques that adversaries employ to gather sensitive information post-compromise. By cross-referencing these attack patterns with your Mattermost deployment inventory and administrative activity logs, Casky helps teams rapidly distinguish legitimate diagnostics from potential exploitation attempts.

Live Threat IntelligenceComing soon

Casky Risk Score

—

EPSS Probability

—

Shodan Exposure

—

GreyNoise Signal

—

Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →

261 Casky skills cover this attack pattern

These skills use Claude AI's reasoning model to surface findings in the same attack categories as CVE-2026-6346.

acquiring-disk-image-with-dd-and-dcfldd

digital forensics · low

Run

analyzing-apt-group-with-mitre-navigator

threat intelligence · low

Run

analyzing-browser-forensics-with-hindsight

digital forensics · low

Run

MITRE ATT&CK Techniques

TA0043 TA0009

Investigate the attack patterns behind CVE-2026-6346

Casky has 261 skills that investigate the attack patterns behind CVE-2026-6346. Run one and get CVSS-scored findings in 3 minutes.

Run the skill that detects this →

X Instagram LinkedIn