Mattermost
Mattermostcollaboration3 credentials
Database Credentials
mattermost / database-credentials
Mattermost server configuration can be supplied through config.json, database-backed configuration, or environment variables. Database connection strings are explicitly called out in Mattermost configuration documentation.
Looks like
pattern(?:postgres|mysql)://[^\s:@]+:[^\s@]+@[^\s/]+Location
config.jsonMattermost SqlSettings DataSource and related database settings
MM_SQLSETTINGS_DATASOURCE, MM_SQLSETTINGS_DRIVERNAMEKubernetes Secrets, cloud secret managers, CI/CD variables, and database password vaults
committed config.json, Helm values, Docker Compose files, and tests
startup logs and database connection troubleshooting output
Notes
Database access can expose users, sessions, personal access tokens, channels, files metadata, and plugin configuration.
Personal Access Token
mattermost / personal-access-token
Mattermost personal access tokens authenticate against the API and are equivalent to regular session tokens for many purposes. Mattermost documents that personal access tokens are cryptic random IDs and can be used with AD/LDAP and SAML accounts.
Location
AuthorizationBearer token used for Mattermost API requests
Mattermost database token/session tables storing token state
MATTERMOST_TOKEN, MM_ACCESS_TOKENbot config, integration config, .env files, and deployment manifests
CI/CD variables, bot secret stores, and cloud secret managers
bot scripts, tests, and committed integration clients
API client traces and automation logs
Notes
Token blast radius depends on the creating user's permissions and any additional roles granted for token use.
User Password
mattermost / user-password
Mattermost users authenticate with local, LDAP, SAML, or other configured authentication backends. Local passwords and sessions are stored in the Mattermost database.
Location
Mattermost database storing user account and password/session verifier data
/login, Mattermost APIMattermost web login and API endpoints
local dev config, test fixtures, and LDAP bind settings
password vaults and identity provider secrets
authentication logs and web server traces
Notes
Login credentials may live in Mattermost itself or in connected LDAP/SAML identity providers depending on site configuration.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.