CVE-2026-6345
Mattermost doesn't prevent disclosure of created user password
6.5
MEDIUM
CVSS 3.1
EPSS 0.04%
Description
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 doesn't prevent disclosure of created user password which allows a malicious attacker to impersonate a user via the use of some of those passwords.. Mattermost Advisory ID: MMSA-2026-00614
How to fix CVE-2026-6345
To remediate CVE-2026-6345, upgrade the affected package to a fixed version below.
- —upgrade to 5.3.2-0.20260311102650-3057ae7e83e9 or later
- —upgrade to 11.5.2 or later
Is CVE-2026-6345 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 5.3.2-0.20260311102650-3057ae7e83e9
- >= 11.5.0, < 11.5.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N |