CVE-2026-6347
Description
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields in the Mattermost Calls plugin which allows an attacker with access to a support packet to obtain TURN server credentials via the plaintext values present in the exported plugin configuration.. Mattermost Advisory ID: MMSA-2026-00605
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mattermost Call plugin writes TURN server credentials in plaintext to support packets, letting anyone with packet access steal the secrets.
Vulnerability
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, and 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields in the Mattermost Calls plugin. When a support packet is generated, the TURN server credentials are exported in plaintext within the plugin configuration, thereby exposing the secrets.
Exploitation
An attacker who gains access to a Mattermost support packet — either by direct file access, through a compromised support channel, or via a user who mistakenly shares the packet — can read the plaintext values of the TURN server credentials. No additional authentication or network position is required beyond obtaining the exported configuration file.
Impact
Successful extraction of the TURN server credentials allows the attacker to interact with the TURN relay service, potentially enabling call session hijacking, denial of service, or unauthorized use of the Media infrastructure. The impact is confined to credential exposure, which may lead to broader compromise depending on how the TURN server is deployed and monitored.
Mitigation
Mattermost has released fixes as part of security update MMSA-2026-00605. Users should upgrade to a patched version: 11.5.2, 10.11.14, or 11.4.4 (or later). As a workaround, restrict access to support packets and ensure they are never shared with unauthorized parties. The advisory is available at the Mattermost security updates page [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3
Patches
4075d975ca738Added FakeSetting for keys generation for support package (#35859)
2 files changed · +24 −0
server/public/model/config.go+16 −0 modified@@ -4848,6 +4848,10 @@ func (o *Config) Sanitize(pluginManifests []*Manifest, opts *SanitizeOptions) { *o.FileSettings.AmazonS3SecretAccessKey = FakeSetting } + if o.FileSettings.ExportAmazonS3SecretAccessKey != nil && *o.FileSettings.ExportAmazonS3SecretAccessKey != "" { + *o.FileSettings.ExportAmazonS3SecretAccessKey = FakeSetting + } + if o.EmailSettings.SMTPPassword != nil && *o.EmailSettings.SMTPPassword != "" { *o.EmailSettings.SMTPPassword = FakeSetting } @@ -4880,6 +4884,10 @@ func (o *Config) Sanitize(pluginManifests []*Manifest, opts *SanitizeOptions) { *o.ElasticsearchSettings.Password = FakeSetting } + if o.ElasticsearchSettings.ClientKey != nil && *o.ElasticsearchSettings.ClientKey != "" { + *o.ElasticsearchSettings.ClientKey = FakeSetting + } + for i := range o.SqlSettings.DataSourceReplicas { o.SqlSettings.DataSourceReplicas[i] = sanitizeDataSourceField(o.SqlSettings.DataSourceReplicas[i], "SqlSettings.DataSourceReplicas") } @@ -4905,6 +4913,14 @@ func (o *Config) Sanitize(pluginManifests []*Manifest, opts *SanitizeOptions) { *o.ServiceSettings.SplitKey = FakeSetting } + if o.ServiceSettings.GoogleDeveloperKey != nil && *o.ServiceSettings.GoogleDeveloperKey != "" { + *o.ServiceSettings.GoogleDeveloperKey = FakeSetting + } + + if o.ServiceSettings.GiphySdkKey != nil && *o.ServiceSettings.GiphySdkKey != "" { + *o.ServiceSettings.GiphySdkKey = FakeSetting + } + if o.CacheSettings.RedisPassword != nil { *o.CacheSettings.RedisPassword = FakeSetting }
server/public/model/config_test.go+8 −0 modified@@ -1513,9 +1513,13 @@ func TestConfigSanitize(t *testing.T) { *c.LdapSettings.BindPassword = "foo" *c.FileSettings.AmazonS3SecretAccessKey = "bar" + *c.FileSettings.ExportAmazonS3SecretAccessKey = "export-secret" *c.EmailSettings.SMTPPassword = "baz" *c.GitLabSettings.Secret = "bingo" *c.OpenIdSettings.Secret = "secret" + *c.ServiceSettings.GoogleDeveloperKey = "google-api-key" + *c.ServiceSettings.GiphySdkKey = "giphy-sdk-key" + *c.ElasticsearchSettings.ClientKey = "/path/to/client-key.pem" c.SqlSettings.DataSourceReplicas = []string{"stuff"} c.SqlSettings.DataSourceSearchReplicas = []string{"stuff"} c.SqlSettings.ReplicaLagSettings = []*ReplicaLagSettings{{ @@ -1529,12 +1533,16 @@ func TestConfigSanitize(t *testing.T) { assert.Equal(t, FakeSetting, *c.LdapSettings.BindPassword) assert.Equal(t, FakeSetting, *c.FileSettings.PublicLinkSalt) assert.Equal(t, FakeSetting, *c.FileSettings.AmazonS3SecretAccessKey) + assert.Equal(t, FakeSetting, *c.FileSettings.ExportAmazonS3SecretAccessKey) assert.Equal(t, FakeSetting, *c.EmailSettings.SMTPPassword) assert.Equal(t, FakeSetting, *c.GitLabSettings.Secret) assert.Equal(t, FakeSetting, *c.OpenIdSettings.Secret) assert.Equal(t, FakeSetting, *c.SqlSettings.DataSource) assert.Equal(t, FakeSetting, *c.SqlSettings.AtRestEncryptKey) assert.Equal(t, FakeSetting, *c.ElasticsearchSettings.Password) + assert.Equal(t, FakeSetting, *c.ElasticsearchSettings.ClientKey) + assert.Equal(t, FakeSetting, *c.ServiceSettings.GoogleDeveloperKey) + assert.Equal(t, FakeSetting, *c.ServiceSettings.GiphySdkKey) assert.Equal(t, FakeSetting, c.SqlSettings.DataSourceReplicas[0]) assert.Equal(t, FakeSetting, c.SqlSettings.DataSourceSearchReplicas[0])
1b7e721437ccUpdate plugin-calls to v1.11.4 (#35664)
1 file changed · +1 −1
server/Makefile+1 −1 modified@@ -152,7 +152,7 @@ TEMPLATES_DIR=templates # Plugins Packages PLUGIN_PACKAGES ?= $(PLUGIN_PACKAGES:) -PLUGIN_PACKAGES += mattermost-plugin-calls-v1.11.0 +PLUGIN_PACKAGES += mattermost-plugin-calls-v1.11.4 PLUGIN_PACKAGES += mattermost-plugin-github-v2.5.0 PLUGIN_PACKAGES += mattermost-plugin-gitlab-v1.12.1 PLUGIN_PACKAGES += mattermost-plugin-jira-v4.5.1
f58aad93ec2cAdded FakeSetting for keys generation for support package (#35862)
2 files changed · +24 −0
server/public/model/config.go+16 −0 modified@@ -4997,6 +4997,10 @@ func (o *Config) Sanitize(pluginManifests []*Manifest, opts *SanitizeOptions) { *o.FileSettings.AmazonS3SecretAccessKey = FakeSetting } + if o.FileSettings.ExportAmazonS3SecretAccessKey != nil && *o.FileSettings.ExportAmazonS3SecretAccessKey != "" { + *o.FileSettings.ExportAmazonS3SecretAccessKey = FakeSetting + } + if o.EmailSettings.SMTPPassword != nil && *o.EmailSettings.SMTPPassword != "" { *o.EmailSettings.SMTPPassword = FakeSetting } @@ -5029,6 +5033,10 @@ func (o *Config) Sanitize(pluginManifests []*Manifest, opts *SanitizeOptions) { *o.ElasticsearchSettings.Password = FakeSetting } + if o.ElasticsearchSettings.ClientKey != nil && *o.ElasticsearchSettings.ClientKey != "" { + *o.ElasticsearchSettings.ClientKey = FakeSetting + } + for i := range o.SqlSettings.DataSourceReplicas { o.SqlSettings.DataSourceReplicas[i] = sanitizeDataSourceField(o.SqlSettings.DataSourceReplicas[i], "SqlSettings.DataSourceReplicas") } @@ -5054,6 +5062,14 @@ func (o *Config) Sanitize(pluginManifests []*Manifest, opts *SanitizeOptions) { *o.ServiceSettings.SplitKey = FakeSetting } + if o.ServiceSettings.GoogleDeveloperKey != nil && *o.ServiceSettings.GoogleDeveloperKey != "" { + *o.ServiceSettings.GoogleDeveloperKey = FakeSetting + } + + if o.ServiceSettings.GiphySdkKey != nil && *o.ServiceSettings.GiphySdkKey != "" { + *o.ServiceSettings.GiphySdkKey = FakeSetting + } + if o.CacheSettings.RedisPassword != nil { *o.CacheSettings.RedisPassword = FakeSetting }
server/public/model/config_test.go+8 −0 modified@@ -1580,9 +1580,13 @@ func TestConfigSanitize(t *testing.T) { *c.LdapSettings.BindPassword = "foo" *c.FileSettings.AmazonS3SecretAccessKey = "bar" + *c.FileSettings.ExportAmazonS3SecretAccessKey = "export-secret" *c.EmailSettings.SMTPPassword = "baz" *c.GitLabSettings.Secret = "bingo" *c.OpenIdSettings.Secret = "secret" + *c.ServiceSettings.GoogleDeveloperKey = "google-api-key" + *c.ServiceSettings.GiphySdkKey = "giphy-sdk-key" + *c.ElasticsearchSettings.ClientKey = "/path/to/client-key.pem" c.SqlSettings.DataSourceReplicas = []string{"stuff"} c.SqlSettings.DataSourceSearchReplicas = []string{"stuff"} c.SqlSettings.ReplicaLagSettings = []*ReplicaLagSettings{{ @@ -1596,12 +1600,16 @@ func TestConfigSanitize(t *testing.T) { assert.Equal(t, FakeSetting, *c.LdapSettings.BindPassword) assert.Equal(t, FakeSetting, *c.FileSettings.PublicLinkSalt) assert.Equal(t, FakeSetting, *c.FileSettings.AmazonS3SecretAccessKey) + assert.Equal(t, FakeSetting, *c.FileSettings.ExportAmazonS3SecretAccessKey) assert.Equal(t, FakeSetting, *c.EmailSettings.SMTPPassword) assert.Equal(t, FakeSetting, *c.GitLabSettings.Secret) assert.Equal(t, FakeSetting, *c.OpenIdSettings.Secret) assert.Equal(t, FakeSetting, *c.SqlSettings.DataSource) assert.Equal(t, FakeSetting, *c.SqlSettings.AtRestEncryptKey) assert.Equal(t, FakeSetting, *c.ElasticsearchSettings.Password) + assert.Equal(t, FakeSetting, *c.ElasticsearchSettings.ClientKey) + assert.Equal(t, FakeSetting, *c.ServiceSettings.GoogleDeveloperKey) + assert.Equal(t, FakeSetting, *c.ServiceSettings.GiphySdkKey) assert.Equal(t, FakeSetting, c.SqlSettings.DataSourceReplicas[0]) assert.Equal(t, FakeSetting, c.SqlSettings.DataSourceSearchReplicas[0])
415033217ef9Update plugin-calls to v1.11.4 (#35662)
1 file changed · +1 −1
server/Makefile+1 −1 modified@@ -142,7 +142,7 @@ TEMPLATES_DIR=templates # Plugins Packages PLUGIN_PACKAGES ?= $(PLUGIN_PACKAGES:) -PLUGIN_PACKAGES += mattermost-plugin-calls-v1.11.1 +PLUGIN_PACKAGES += mattermost-plugin-calls-v1.11.4 PLUGIN_PACKAGES += mattermost-plugin-github-v2.5.0 PLUGIN_PACKAGES += mattermost-plugin-gitlab-v1.12.1 PLUGIN_PACKAGES += mattermost-plugin-jira-v4.5.0
Vulnerability mechanics
Root cause
"The Config.Sanitize() function omits several sensitive configuration fields (ExportAmazonS3SecretAccessKey, ClientKey, GoogleDeveloperKey, GiphySdkKey), leaving them in plaintext when a support packet is generated."
Attack vector
An attacker who already holds administrative privileges (PR:H) can generate or request a Mattermost support packet. Because the Config.Sanitize() function did not replace the values of ExportAmazonS3SecretAccessKey, ElasticsearchSettings.ClientKey, ServiceSettings.GoogleDeveloperKey, and ServiceSettings.GiphySdkKey with the FakeSetting placeholder [CWE-200], those secrets—including TURN server credentials from the Calls plugin configuration—are exported in plaintext. The attacker can then extract these credentials from the support packet and use them to access the TURN server or other protected services.
Affected code
The vulnerability is in the Config.Sanitize() method in server/public/model/config.go. The function iterates over many sensitive fields to replace them with FakeSetting, but prior to the patch it did not handle ExportAmazonS3SecretAccessKey, ElasticsearchSettings.ClientKey, ServiceSettings.GoogleDeveloperKey, or ServiceSettings.GiphySdkKey. The test file server/public/model/config_test.go was also updated to cover these fields.
What the fix does
The patch adds four new sanitization blocks inside Config.Sanitize() in server/public/model/config.go [patch_id=918494][patch_id=918500]. Each block checks whether the corresponding pointer field is non-nil and non-empty, and if so, overwrites it with the constant FakeSetting. The accompanying test file verifies that after sanitization these fields equal FakeSetting. This ensures that when a support packet is generated, the sensitive values are masked instead of being exported in plaintext.
Preconditions
- authAttacker must have administrative privileges (High) to generate or access a support packet.
- configThe Mattermost Calls plugin must be configured with TURN server credentials or other sensitive values in the affected fields.
Generated on May 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- mattermost.com/security-updatesnvdVendor Advisory
News mentions
0No linked articles in our index yet.