What is the CVSS score of CVE-2026-2462?

CVE-2026-2462 has a CVSS 3.1 base score of 6.6 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L. EPSS exploitation probability: 0.1%.

Which versions of Mattermost are affected by CVE-2026-2462?

CVE-2026-2462 presents notable security risk, a incorrect authorization vulnerability rated CVSS 6.6. Attackers could gain access beyond their authorized level.

Mattermost CVE-2026-2462

Q: How to fix or mitigate CVE-2026-2462?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

EUVD-2026-12413 MEDIUM

Incorrect Authorization (CWE-863)

2026-03-16 Mattermost

Authentication Bypass RCE Mattermost

6.6

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

EUVD ID Assigned

Mar 16, 2026 - 13:00 euvd

EUVD-2026-12413

Analysis Generated

Mar 16, 2026 - 13:00 vuln.today

CVE Published

Mar 16, 2026 - 12:00 nvd

MEDIUM 6.6

DescriptionNVD

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to restrict plugin installation on CI test instances with default admin credentials which allows an unauthenticated attacker to achieve remote code execution and exfiltrate sensitive configuration data including AWS and SMTP credentials via uploading a malicious plugin after changing the import directory. Mattermost Advisory ID: MMSA-2025-00528

AnalysisAI

This vulnerability in Mattermost allows unauthenticated attackers to achieve remote code execution and exfiltrate sensitive credentials through malicious plugin installation on CI test instances that retain default admin credentials. Affected versions include Mattermost 10.11.x through 10.11.10, 11.2.x through 11.2.2, and 11.3.0, with the core issue stemming from insufficient access controls on plugin installation combined with default credential exposure. …

RemediationAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-2462 vulnerability details – vuln.today

Back