CVE-2026-6517

Vulnerability

In Mattermost Desktop App versions up to and including 6.1.5.5.13.0, the allow list of domains to which NTLM credentials are forwarded is not properly restricted. This allows attackers on a server without the image proxy enabled to intercept NTLM credentials of other users by embedding an external image that routes to a malicious web server. The vulnerability is tracked as MMSA-2026-00651 [1].

Exploitation

An attacker with the ability to post messages on a Mattermost server that does not have the image proxy enabled can craft a message containing an image tag whose src points to an attacker-controlled external web server. When other users view the message, the Mattermost Desktop App automatically attempts to load the image, forwarding NTLM credentials to the external server due to the insufficient domain restriction. User interaction of viewing the message is required.

Impact

Successful exploitation allows an attacker to capture NTLM credentials of other users, potentially leading to unauthorized access to systems that trust those credentials, thus compromising confidentiality and potentially enabling lateral movement.

Mitigation

As of the publication date, a fix has not been released. Vendors recommend enabling the image proxy on Mattermost servers to prevent automatic credential forwarding to external domains. Monitor the Mattermost Security Updates page [1] for future patches.