CVE-2026-6346
Description
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields before including them in support packet generation, which allows a Mattermost System Admin or any party with access to a support packet to obtain sensitive credentials in plaintext via downloading a support packet from the System Console.. Mattermost Advisory ID: MMSA-2026-00607
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mattermost fails to sanitize configuration secrets in support packets, exposing plaintext credentials to System Admins and packet recipients in versions 11.5.x ≤ 11.5.1, 10.11.x ≤ 10.11.13, and 11.4.x ≤ 11.4.3.
Vulnerability
Mattermost versions 11.5.x up to and including 11.5.1, 10.11.x up to and including 10.11.13, and 11.4.x up to and including 11.4.3 fail to sanitize sensitive configuration fields before including them in support packet generation [1]. This vulnerability allows sensitive credentials to be embedded in plaintext within support packets generated from the System Console [1].
Exploitation
An attacker who is a Mattermost System Admin with access to the System Console can trigger the generation of a support packet that includes plaintext credentials [1]. Additionally, any party who subsequently obtains a copy of such a support packet—whether through unintended disclosure, shared troubleshooting, or other means—can extract the exposed credentials [1]. No additional privileges or user interaction beyond the admin's packet generation action are required.
Impact
Successful exploitation leads to the disclosure of sensitive configuration credentials in plaintext [1]. An attacker who gains access to these credentials can leverage them to further compromise the Mattermost instance, potentially gaining unauthorized access to connected services or sensitive data [1]. The confidentiality of configuration secrets is directly undermined.
Mitigation
Mattermost has addressed this issue in versions 11.5.2, 10.11.14, and 11.4.4 as part of MMSA-2026-00607 [1]. Users should upgrade to the latest patched version immediately. If upgrading is not immediately possible, System Admins should carefully control access to the System Console and restrict the distribution of generated support packets, though these workarounds do not eliminate the risk [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=10.11.13, <=11.4.3, <=11.5.1
Patches
3f58aad93ec2cAdded FakeSetting for keys generation for support package (#35862)
2 files changed · +24 −0
server/public/model/config.go+16 −0 modified@@ -4997,6 +4997,10 @@ func (o *Config) Sanitize(pluginManifests []*Manifest, opts *SanitizeOptions) { *o.FileSettings.AmazonS3SecretAccessKey = FakeSetting } + if o.FileSettings.ExportAmazonS3SecretAccessKey != nil && *o.FileSettings.ExportAmazonS3SecretAccessKey != "" { + *o.FileSettings.ExportAmazonS3SecretAccessKey = FakeSetting + } + if o.EmailSettings.SMTPPassword != nil && *o.EmailSettings.SMTPPassword != "" { *o.EmailSettings.SMTPPassword = FakeSetting } @@ -5029,6 +5033,10 @@ func (o *Config) Sanitize(pluginManifests []*Manifest, opts *SanitizeOptions) { *o.ElasticsearchSettings.Password = FakeSetting } + if o.ElasticsearchSettings.ClientKey != nil && *o.ElasticsearchSettings.ClientKey != "" { + *o.ElasticsearchSettings.ClientKey = FakeSetting + } + for i := range o.SqlSettings.DataSourceReplicas { o.SqlSettings.DataSourceReplicas[i] = sanitizeDataSourceField(o.SqlSettings.DataSourceReplicas[i], "SqlSettings.DataSourceReplicas") } @@ -5054,6 +5062,14 @@ func (o *Config) Sanitize(pluginManifests []*Manifest, opts *SanitizeOptions) { *o.ServiceSettings.SplitKey = FakeSetting } + if o.ServiceSettings.GoogleDeveloperKey != nil && *o.ServiceSettings.GoogleDeveloperKey != "" { + *o.ServiceSettings.GoogleDeveloperKey = FakeSetting + } + + if o.ServiceSettings.GiphySdkKey != nil && *o.ServiceSettings.GiphySdkKey != "" { + *o.ServiceSettings.GiphySdkKey = FakeSetting + } + if o.CacheSettings.RedisPassword != nil { *o.CacheSettings.RedisPassword = FakeSetting }
server/public/model/config_test.go+8 −0 modified@@ -1580,9 +1580,13 @@ func TestConfigSanitize(t *testing.T) { *c.LdapSettings.BindPassword = "foo" *c.FileSettings.AmazonS3SecretAccessKey = "bar" + *c.FileSettings.ExportAmazonS3SecretAccessKey = "export-secret" *c.EmailSettings.SMTPPassword = "baz" *c.GitLabSettings.Secret = "bingo" *c.OpenIdSettings.Secret = "secret" + *c.ServiceSettings.GoogleDeveloperKey = "google-api-key" + *c.ServiceSettings.GiphySdkKey = "giphy-sdk-key" + *c.ElasticsearchSettings.ClientKey = "/path/to/client-key.pem" c.SqlSettings.DataSourceReplicas = []string{"stuff"} c.SqlSettings.DataSourceSearchReplicas = []string{"stuff"} c.SqlSettings.ReplicaLagSettings = []*ReplicaLagSettings{{ @@ -1596,12 +1600,16 @@ func TestConfigSanitize(t *testing.T) { assert.Equal(t, FakeSetting, *c.LdapSettings.BindPassword) assert.Equal(t, FakeSetting, *c.FileSettings.PublicLinkSalt) assert.Equal(t, FakeSetting, *c.FileSettings.AmazonS3SecretAccessKey) + assert.Equal(t, FakeSetting, *c.FileSettings.ExportAmazonS3SecretAccessKey) assert.Equal(t, FakeSetting, *c.EmailSettings.SMTPPassword) assert.Equal(t, FakeSetting, *c.GitLabSettings.Secret) assert.Equal(t, FakeSetting, *c.OpenIdSettings.Secret) assert.Equal(t, FakeSetting, *c.SqlSettings.DataSource) assert.Equal(t, FakeSetting, *c.SqlSettings.AtRestEncryptKey) assert.Equal(t, FakeSetting, *c.ElasticsearchSettings.Password) + assert.Equal(t, FakeSetting, *c.ElasticsearchSettings.ClientKey) + assert.Equal(t, FakeSetting, *c.ServiceSettings.GoogleDeveloperKey) + assert.Equal(t, FakeSetting, *c.ServiceSettings.GiphySdkKey) assert.Equal(t, FakeSetting, c.SqlSettings.DataSourceReplicas[0]) assert.Equal(t, FakeSetting, c.SqlSettings.DataSourceSearchReplicas[0])
075d975ca738Added FakeSetting for keys generation for support package (#35859)
2 files changed · +24 −0
server/public/model/config.go+16 −0 modified@@ -4848,6 +4848,10 @@ func (o *Config) Sanitize(pluginManifests []*Manifest, opts *SanitizeOptions) { *o.FileSettings.AmazonS3SecretAccessKey = FakeSetting } + if o.FileSettings.ExportAmazonS3SecretAccessKey != nil && *o.FileSettings.ExportAmazonS3SecretAccessKey != "" { + *o.FileSettings.ExportAmazonS3SecretAccessKey = FakeSetting + } + if o.EmailSettings.SMTPPassword != nil && *o.EmailSettings.SMTPPassword != "" { *o.EmailSettings.SMTPPassword = FakeSetting } @@ -4880,6 +4884,10 @@ func (o *Config) Sanitize(pluginManifests []*Manifest, opts *SanitizeOptions) { *o.ElasticsearchSettings.Password = FakeSetting } + if o.ElasticsearchSettings.ClientKey != nil && *o.ElasticsearchSettings.ClientKey != "" { + *o.ElasticsearchSettings.ClientKey = FakeSetting + } + for i := range o.SqlSettings.DataSourceReplicas { o.SqlSettings.DataSourceReplicas[i] = sanitizeDataSourceField(o.SqlSettings.DataSourceReplicas[i], "SqlSettings.DataSourceReplicas") } @@ -4905,6 +4913,14 @@ func (o *Config) Sanitize(pluginManifests []*Manifest, opts *SanitizeOptions) { *o.ServiceSettings.SplitKey = FakeSetting } + if o.ServiceSettings.GoogleDeveloperKey != nil && *o.ServiceSettings.GoogleDeveloperKey != "" { + *o.ServiceSettings.GoogleDeveloperKey = FakeSetting + } + + if o.ServiceSettings.GiphySdkKey != nil && *o.ServiceSettings.GiphySdkKey != "" { + *o.ServiceSettings.GiphySdkKey = FakeSetting + } + if o.CacheSettings.RedisPassword != nil { *o.CacheSettings.RedisPassword = FakeSetting }
server/public/model/config_test.go+8 −0 modified@@ -1513,9 +1513,13 @@ func TestConfigSanitize(t *testing.T) { *c.LdapSettings.BindPassword = "foo" *c.FileSettings.AmazonS3SecretAccessKey = "bar" + *c.FileSettings.ExportAmazonS3SecretAccessKey = "export-secret" *c.EmailSettings.SMTPPassword = "baz" *c.GitLabSettings.Secret = "bingo" *c.OpenIdSettings.Secret = "secret" + *c.ServiceSettings.GoogleDeveloperKey = "google-api-key" + *c.ServiceSettings.GiphySdkKey = "giphy-sdk-key" + *c.ElasticsearchSettings.ClientKey = "/path/to/client-key.pem" c.SqlSettings.DataSourceReplicas = []string{"stuff"} c.SqlSettings.DataSourceSearchReplicas = []string{"stuff"} c.SqlSettings.ReplicaLagSettings = []*ReplicaLagSettings{{ @@ -1529,12 +1533,16 @@ func TestConfigSanitize(t *testing.T) { assert.Equal(t, FakeSetting, *c.LdapSettings.BindPassword) assert.Equal(t, FakeSetting, *c.FileSettings.PublicLinkSalt) assert.Equal(t, FakeSetting, *c.FileSettings.AmazonS3SecretAccessKey) + assert.Equal(t, FakeSetting, *c.FileSettings.ExportAmazonS3SecretAccessKey) assert.Equal(t, FakeSetting, *c.EmailSettings.SMTPPassword) assert.Equal(t, FakeSetting, *c.GitLabSettings.Secret) assert.Equal(t, FakeSetting, *c.OpenIdSettings.Secret) assert.Equal(t, FakeSetting, *c.SqlSettings.DataSource) assert.Equal(t, FakeSetting, *c.SqlSettings.AtRestEncryptKey) assert.Equal(t, FakeSetting, *c.ElasticsearchSettings.Password) + assert.Equal(t, FakeSetting, *c.ElasticsearchSettings.ClientKey) + assert.Equal(t, FakeSetting, *c.ServiceSettings.GoogleDeveloperKey) + assert.Equal(t, FakeSetting, *c.ServiceSettings.GiphySdkKey) assert.Equal(t, FakeSetting, c.SqlSettings.DataSourceReplicas[0]) assert.Equal(t, FakeSetting, c.SqlSettings.DataSourceSearchReplicas[0])
b8d161443fdfAdded FakeSetting for keys generation for support package (#35346) (#35823)
2 files changed · +24 −0
server/public/model/config.go+16 −0 modified@@ -5010,6 +5010,10 @@ func (o *Config) Sanitize(pluginManifests []*Manifest, opts *SanitizeOptions) { *o.FileSettings.AmazonS3SecretAccessKey = FakeSetting } + if o.FileSettings.ExportAmazonS3SecretAccessKey != nil && *o.FileSettings.ExportAmazonS3SecretAccessKey != "" { + *o.FileSettings.ExportAmazonS3SecretAccessKey = FakeSetting + } + if o.EmailSettings.SMTPPassword != nil && *o.EmailSettings.SMTPPassword != "" { *o.EmailSettings.SMTPPassword = FakeSetting } @@ -5042,6 +5046,10 @@ func (o *Config) Sanitize(pluginManifests []*Manifest, opts *SanitizeOptions) { *o.ElasticsearchSettings.Password = FakeSetting } + if o.ElasticsearchSettings.ClientKey != nil && *o.ElasticsearchSettings.ClientKey != "" { + *o.ElasticsearchSettings.ClientKey = FakeSetting + } + for i := range o.SqlSettings.DataSourceReplicas { o.SqlSettings.DataSourceReplicas[i] = sanitizeDataSourceField(o.SqlSettings.DataSourceReplicas[i], "SqlSettings.DataSourceReplicas") } @@ -5067,6 +5075,14 @@ func (o *Config) Sanitize(pluginManifests []*Manifest, opts *SanitizeOptions) { *o.ServiceSettings.SplitKey = FakeSetting } + if o.ServiceSettings.GoogleDeveloperKey != nil && *o.ServiceSettings.GoogleDeveloperKey != "" { + *o.ServiceSettings.GoogleDeveloperKey = FakeSetting + } + + if o.ServiceSettings.GiphySdkKey != nil && *o.ServiceSettings.GiphySdkKey != "" { + *o.ServiceSettings.GiphySdkKey = FakeSetting + } + if o.CacheSettings.RedisPassword != nil { *o.CacheSettings.RedisPassword = FakeSetting }
server/public/model/config_test.go+8 −0 modified@@ -1580,9 +1580,13 @@ func TestConfigSanitize(t *testing.T) { *c.LdapSettings.BindPassword = "foo" *c.FileSettings.AmazonS3SecretAccessKey = "bar" + *c.FileSettings.ExportAmazonS3SecretAccessKey = "export-secret" *c.EmailSettings.SMTPPassword = "baz" *c.GitLabSettings.Secret = "bingo" *c.OpenIdSettings.Secret = "secret" + *c.ServiceSettings.GoogleDeveloperKey = "google-api-key" + *c.ServiceSettings.GiphySdkKey = "giphy-sdk-key" + *c.ElasticsearchSettings.ClientKey = "/path/to/client-key.pem" *c.AutoTranslationSettings.LibreTranslate.APIKey = "libre-api-key" c.SqlSettings.DataSourceReplicas = []string{"stuff"} c.SqlSettings.DataSourceSearchReplicas = []string{"stuff"} @@ -1597,13 +1601,17 @@ func TestConfigSanitize(t *testing.T) { assert.Equal(t, FakeSetting, *c.LdapSettings.BindPassword) assert.Equal(t, FakeSetting, *c.FileSettings.PublicLinkSalt) assert.Equal(t, FakeSetting, *c.FileSettings.AmazonS3SecretAccessKey) + assert.Equal(t, FakeSetting, *c.FileSettings.ExportAmazonS3SecretAccessKey) assert.Equal(t, FakeSetting, *c.EmailSettings.SMTPPassword) assert.Equal(t, FakeSetting, *c.GitLabSettings.Secret) assert.Equal(t, FakeSetting, *c.OpenIdSettings.Secret) assert.Equal(t, FakeSetting, *c.AutoTranslationSettings.LibreTranslate.APIKey) assert.Equal(t, FakeSetting, *c.SqlSettings.DataSource) assert.Equal(t, FakeSetting, *c.SqlSettings.AtRestEncryptKey) assert.Equal(t, FakeSetting, *c.ElasticsearchSettings.Password) + assert.Equal(t, FakeSetting, *c.ElasticsearchSettings.ClientKey) + assert.Equal(t, FakeSetting, *c.ServiceSettings.GoogleDeveloperKey) + assert.Equal(t, FakeSetting, *c.ServiceSettings.GiphySdkKey) assert.Equal(t, FakeSetting, c.SqlSettings.DataSourceReplicas[0]) assert.Equal(t, FakeSetting, c.SqlSettings.DataSourceSearchReplicas[0])
Vulnerability mechanics
Root cause
"The Config.Sanitize() function in server/public/model/config.go fails to redact several sensitive configuration fields (ExportAmazonS3SecretAccessKey, ElasticsearchSettings.ClientKey, ServiceSettings.GoogleDeveloperKey, ServiceSettings.GiphySdkKey) before including them in support packet generation, exposing plaintext credentials."
Attack vector
A Mattermost System Admin navigates to the System Console and downloads a support packet. The support packet is generated by serializing the server configuration, but the Sanitize() function [CWE-200] does not replace the values of ExportAmazonS3SecretAccessKey, ElasticsearchSettings.ClientKey, ServiceSettings.GoogleDeveloperKey, and ServiceSettings.GiphySdkKey with the FakeSetting placeholder. As a result, these sensitive fields are included in plaintext in the downloaded support packet. Any party with access to the support packet—whether the admin who downloaded it or a third party who later obtains the file—can read the plaintext credentials.
Affected code
The vulnerability exists in the Config.Sanitize() method in server/public/model/config.go. The method is responsible for redacting sensitive fields before configuration data is included in support packets, but it omitted four fields: FileSettings.ExportAmazonS3SecretAccessKey, ElasticsearchSettings.ClientKey, ServiceSettings.GoogleDeveloperKey, and ServiceSettings.GiphySdkKey.
What the fix does
The patch adds four new nil-and-empty checks inside Config.Sanitize() in server/public/model/config.go [patch_id=918502, patch_id=918501, patch_id=918503]. For each newly covered field, if the pointer is non-nil and the string is non-empty, the value is overwritten with the constant FakeSetting. This ensures that when a support packet is generated, the sensitive configuration values are replaced with a redacted placeholder instead of being emitted in plaintext. The corresponding test assertions in config_test.go verify that each field is correctly sanitized.
Preconditions
- authAttacker must be a Mattermost System Admin with access to the System Console to download a support packet.
- configThe affected configuration fields must contain non-empty sensitive values (e.g., an API key or secret access key).
Generated on May 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- mattermost.com/security-updatesnvdVendor Advisory
News mentions
0No linked articles in our index yet.