Mattermost Desktop
CVE-2026-1628
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Mattermost Desktop App versions <=5.13.3 fail to attach listeners restricting navigation to external sites within the Mattermost app which allows a malicious server to expose preload script functionality to untrusted servers via having a user open an external link in their Mattermost server. Mattermost Advisory ID: MMSA-2026-00596
AnalysisAI
Mattermost Desktop is affected by inclusion of functionality from untrusted control sphere (CVSS 4.6).
Technical ContextAI
This vulnerability (CWE-829: Inclusion of Functionality from Untrusted Control Sphere) affects Mattermost Desktop. Mattermost Desktop App versions <=5.13.3 fail to attach listeners restricting navigation to external sites within the Mattermost app which allows a malicious server to expose preload script functionality to untrusted servers via having a user open an external link in their Mattermost server. Mattermost Advisory ID: MMSA-2026-00596
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
More in Mattermost Desktop
View allMattermost Desktop App versions <=5.8.0 fail to specify an absolute path when searching the cmd.exe file, which allows a
Arbitrary code execution in Mattermost Desktop App through version 6.2.0 results from insufficient validation of help me
An issue was discovered in Mattermost Desktop App before 4.4.0. Rated high severity (CVSS 7.3), this vulnerability is re
Mattermost Desktop App versions <=5.8.0 fail to sufficiently configure Electron Fuses which allows an attacker to gather
An issue was discovered in Mattermost Desktop App before 4.4.0. Rated medium severity (CVSS 6.5), this vulnerability is
Mattermost Desktop App versions <=5.7.0 fail to correctly prompt for permission when opening external URLs which allows
An issue was discovered in Mattermost Desktop App before 4.4.0. Rated medium severity (CVSS 6.1), this vulnerability is
Mattermost Desktop fails to set an appropriate log level during initial run after fresh installation resulting in loggin
Mattermost Desktop App fails to validate a mattermost server redirection and navigates to an arbitrary website. Rated me
Mattermost Desktop App versions <=5.8.0 fail to safeguard screen capture functionality which allows an attacker to silen
Mattermost fails to properly validate a RegExp built off the server URL path, allowing an attacker in control of an enro
Mattermost Desktop fails to correctly handle permissions or prompt the user for consent on certain sensitive ones allowi
Share
External POC / Exploit Code
Leaving vuln.today