What happened
Mattermost versions across three release branches fail to validate attachment URLs against internal or private IP ranges in the Agents plugin MCP server component. An authenticated attacker with MCP server access in stdio mode can supply internal network URLs as attachment targets, triggering server-side requests to internal infrastructure (CVSS 6.5).
Why it matters
Mattermost's Agents plugin is specifically designed to integrate AI agents into team communication workflows. SSRF in an MCP server context means an attacker can use the AI agent infrastructure as a pivot to reach internal services, database APIs, AI model endpoints, and cloud metadata services that should not be externally accessible.
Attack vector
The Mattermost Agents plugin MCP server fails to validate attachment URLs against internal or private IP ranges. An attacker with access to the MCP server in stdio mode can supply crafted attachment URLs pointing to internal network addresses, causing the Mattermost server to make SSRF requests to internal services on behalf of the attacker.
Affected systems
Mattermost 10.11.x ≤ 10.11.18, 11.5.x ≤ 11.5.6, 11.6.x ≤ 11.6.3
Mitigation
Update Mattermost to 10.11.19+, 11.5.7+, or 11.6.4+. See: https://mattermost.com/security-updates