Skip to main content

Mattermost Desktop CVE-2026-1046

HIGH
Improper Authorization in Handler for Custom URL Scheme (CWE-939)
2026-02-16 responsibledisclosure@mattermost.com
7.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.6 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Feb 16, 2026 - 13:16 nvd
HIGH 7.6

DescriptionCVE.org

Mattermost Desktop App versions <=6.0 6.2.0 5.2.13.0 fail to validate help links which allows a malicious Mattermost server to execute arbitrary executables on a user’s system via the user clicking on certain items in the Help menu Mattermost Advisory ID: MMSA-2026-00577

AnalysisAI

Arbitrary code execution in Mattermost Desktop App through version 6.2.0 results from insufficient validation of help menu links, enabling a malicious server administrator to execute arbitrary executables on affected users' systems when they click specially crafted help items. This vulnerability affects multiple versions including 5.2.13.0 and 6.0, requiring user interaction and authenticated server access to exploit. No patch is currently available for this HIGH severity vulnerability.

Technical ContextAI

Mattermost Desktop App versions <=6.0 6.2.0 5.2.13.0 fail to validate help links which allows a malicious Mattermost server to execute arbitrary executables on a user’s system via the user clicking on certain items in the Help menu Mattermost Advisory ID: MMSA-2026-00577

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

CVE-2024-39613 HIGH
7.8 Sep 16

Mattermost Desktop App versions <=5.8.0 fail to specify an absolute path when searching the cmd.exe file, which allows a

CVE-2020-14456 HIGH
7.3 Jun 19

An issue was discovered in Mattermost Desktop App before 4.4.0. Rated high severity (CVSS 7.3), this vulnerability is re

CVE-2024-45835 MEDIUM
6.5 Sep 16

Mattermost Desktop App versions <=5.8.0 fail to sufficiently configure Electron Fuses which allows an attacker to gather

CVE-2020-14455 MEDIUM
6.5 Jun 19

An issue was discovered in Mattermost Desktop App before 4.4.0. Rated medium severity (CVSS 6.5), this vulnerability is

CVE-2024-37182 MEDIUM
6.1 Jun 14

Mattermost Desktop App versions <=5.7.0 fail to correctly prompt for permission when opening external URLs which allows

CVE-2020-14454 MEDIUM
6.1 Jun 19

An issue was discovered in Mattermost Desktop App before 4.4.0. Rated medium severity (CVSS 6.1), this vulnerability is

CVE-2023-5339 MEDIUM
5.5 Oct 17

Mattermost Desktop fails to set an appropriate log level during initial run after fresh installation resulting in loggin

CVE-2023-2000 MEDIUM
5.4 May 02

Mattermost Desktop App fails to validate a mattermost server redirection and navigates to an arbitrary website. Rated me

CVE-2024-39772 MEDIUM
5.3 Sep 16

Mattermost Desktop App versions <=5.8.0 fail to safeguard screen capture functionality which allows an attacker to silen

CVE-2023-5876 MEDIUM
5.3 Nov 02

Mattermost fails to properly validate a RegExp built off the server URL path, allowing an attacker in control of an enro

CVE-2023-5875 MEDIUM
5.3 Nov 02

Mattermost Desktop fails to correctly handle permissions or prompt the user for consent on certain sensitive ones allowi

CVE-2026-1628 MEDIUM
4.6 Mar 02

Mattermost Desktop is affected by inclusion of functionality from untrusted control sphere (CVSS 4.6).

Share

CVE-2026-1046 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy