Mattermost Desktop
CVE-2026-1046
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
Mattermost Desktop App versions <=6.0 6.2.0 5.2.13.0 fail to validate help links which allows a malicious Mattermost server to execute arbitrary executables on a user’s system via the user clicking on certain items in the Help menu Mattermost Advisory ID: MMSA-2026-00577
AnalysisAI
Arbitrary code execution in Mattermost Desktop App through version 6.2.0 results from insufficient validation of help menu links, enabling a malicious server administrator to execute arbitrary executables on affected users' systems when they click specially crafted help items. This vulnerability affects multiple versions including 5.2.13.0 and 6.0, requiring user interaction and authenticated server access to exploit. No patch is currently available for this HIGH severity vulnerability.
Technical ContextAI
Mattermost Desktop App versions <=6.0 6.2.0 5.2.13.0 fail to validate help links which allows a malicious Mattermost server to execute arbitrary executables on a user’s system via the user clicking on certain items in the Help menu Mattermost Advisory ID: MMSA-2026-00577
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
More in Mattermost Desktop
View allMattermost Desktop App versions <=5.8.0 fail to specify an absolute path when searching the cmd.exe file, which allows a
An issue was discovered in Mattermost Desktop App before 4.4.0. Rated high severity (CVSS 7.3), this vulnerability is re
Mattermost Desktop App versions <=5.8.0 fail to sufficiently configure Electron Fuses which allows an attacker to gather
An issue was discovered in Mattermost Desktop App before 4.4.0. Rated medium severity (CVSS 6.5), this vulnerability is
Mattermost Desktop App versions <=5.7.0 fail to correctly prompt for permission when opening external URLs which allows
An issue was discovered in Mattermost Desktop App before 4.4.0. Rated medium severity (CVSS 6.1), this vulnerability is
Mattermost Desktop fails to set an appropriate log level during initial run after fresh installation resulting in loggin
Mattermost Desktop App fails to validate a mattermost server redirection and navigates to an arbitrary website. Rated me
Mattermost Desktop App versions <=5.8.0 fail to safeguard screen capture functionality which allows an attacker to silen
Mattermost fails to properly validate a RegExp built off the server URL path, allowing an attacker in control of an enro
Mattermost Desktop fails to correctly handle permissions or prompt the user for consent on certain sensitive ones allowi
Mattermost Desktop is affected by inclusion of functionality from untrusted control sphere (CVSS 4.6).
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today