Skip to main content

Mattermost EUVDEUVD-2026-12413

| CVE-2026-2462 MEDIUM
Incorrect Authorization (CWE-863)
2026-03-16 Mattermost
6.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.6 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 16, 2026 - 13:00 euvd
EUVD-2026-12413
Analysis Generated
Mar 16, 2026 - 13:00 vuln.today
CVE Published
Mar 16, 2026 - 12:00 nvd
MEDIUM 6.6

DescriptionCVE.org

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to restrict plugin installation on CI test instances with default admin credentials which allows an unauthenticated attacker to achieve remote code execution and exfiltrate sensitive configuration data including AWS and SMTP credentials via uploading a malicious plugin after changing the import directory. Mattermost Advisory ID: MMSA-2025-00528

AnalysisAI

This vulnerability in Mattermost allows unauthenticated attackers to achieve remote code execution and exfiltrate sensitive credentials through malicious plugin installation on CI test instances that retain default admin credentials. Affected versions include Mattermost 10.11.x through 10.11.10, 11.2.x through 11.2.2, and 11.3.0, with the core issue stemming from insufficient access controls on plugin installation combined with default credential exposure. An attacker can upload a malicious plugin after modifying the import directory to gain full system compromise and access AWS and SMTP credentials stored in configuration files.

Technical ContextAI

The vulnerability exploits a failure in authorization controls (CWE-863: Incorrect Authorization) within Mattermost's plugin installation mechanism. Mattermost is a self-hosted team collaboration platform (identified via CPE cpe:2.3:a:mattermost:mattermost) that allows administrators to extend functionality through plugins. The root cause involves two compounding factors: first, CI test instances are deployed with default administrative credentials that remain unchanged in production-like configurations, and second, the plugin installation endpoint does not properly enforce authentication or authorization checks before allowing plugin uploads. An attacker with network access can change the plugin import directory path and upload arbitrary plugin files containing malicious code, which are then executed with the privileges of the Mattermost application server. This allows both arbitrary code execution on the host system and access to sensitive configuration data including database credentials, AWS API keys, and SMTP authentication tokens typically stored in plaintext configuration files accessible to the application process.

RemediationAI

Immediately upgrade affected Mattermost instances to patched versions beyond 10.11.10, 11.2.2, and 11.3.0 as specified in the vendor advisory at https://mattermost.com/security-updates. As a critical interim measure before patching, change all default administrative credentials immediately and enforce strong, unique passwords for all administrative accounts. Additionally, restrict network access to Mattermost instances to trusted IP ranges or VPN-only connectivity, disable plugin installation if not required for operations, and remove or restrict the ability to modify plugin import directories through configuration hardening. Review plugin installation logs and audit any plugins installed during the exposure window for signs of compromise. For CI/test instances specifically, implement separate credential management and avoid deploying test instances with production-like configurations or credentials. Monitor sensitive configuration files for unauthorized access and rotate all credentials stored in Mattermost configuration (AWS keys, SMTP passwords, database credentials) as a precautionary measure.

CVE-2026-48801 HIGH POC
8.7 Jun 26

Denial of service in linkify-it (npm) through v5.0.0 lets remote unauthenticated attackers wedge a rendering worker by s

CVE-2022-4044 MEDIUM POC
6.5 Nov 23

A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large auto

CVE-2022-3257 MEDIUM POC
6.5 Sep 23

Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded w

CVE-2023-6458 CRITICAL
9.8 Dec 06

Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perf

CVE-2020-26276 CRITICAL
9.8 Dec 17

Fleet is an open source osquery manager. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2024-39777 CRITICAL
9.6 Aug 01

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invit

CVE-2020-26290 CRITICAL
9.6 Dec 28

Dex is a federated OpenID Connect provider written in Go. Rated critical severity (CVSS 9.6), this vulnerability is remo

CVE-2026-9354 MEDIUM POC
5.5 May 24

Improper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers t

CVE-2022-1002 MEDIUM POC
5.4 Mar 18

Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, wh

CVE-2023-2193 CRITICAL
9.1 Apr 20

Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker posse

CVE-2026-7387 HIGH
8.8 Jun 12

Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding gr

CVE-2026-3524 HIGH
8.8 Apr 06

Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal

Share

EUVD-2026-12413 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy