Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Delivery via attacker-controlled network server; victim must connect actively (UI:R); crash-only impact (A:H); no client-side privilege required (PR:N); no C or I impact.
Primary rating from Vendor (Mattermost).
CVSS VectorVendor: Mattermost
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Mattermost Desktop App versions <=6.1 5.5.13.0 fail to account for attempting to open extremely long URLs in the Mattermost Desktop App which allows a malicious server owner to crash the application via including a script to call window.open on a very large URL. Mattermost Advisory ID: MMSA-2026-00652
AnalysisAI
Denial of service in Mattermost Desktop App (versions ≤6.1 and ≤5.5.13.0) allows a malicious Mattermost server owner to crash client applications by injecting a script that calls window.open() with an excessively large URL, exploiting a missing resource limit on URL length processing. Exploitation requires user interaction - the victim must actively connect their Desktop App to an attacker-controlled server - and impact is strictly limited to application availability with no confidentiality or integrity exposure. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.
Technical ContextAI
The root cause is CWE-770 (Allocation of Resources Without Limits or Throttling): the Mattermost Desktop App, built on the Electron framework, does not enforce an upper bound on URL length before passing it to the underlying window.open() call. When a URL exceeds OS or Electron runtime resource limits, the resulting unhandled allocation failure terminates the application process. The affected software surface is the client-server trust boundary in Mattermost's architecture, where a connected server can deliver JavaScript into the desktop client context. The CPE string cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:* covers the Mattermost desktop client across both the v6.x and v5.x release branches. The advisory identifier MMSA-2026-00652 is Mattermost's own internal tracking reference, confirming first-party acknowledgment of the issue.
RemediationAI
Upgrade the Mattermost Desktop App to a version above 6.1 on the v6.x branch or above 5.5.13.0 on the v5.x branch per the Mattermost security advisory at https://mattermost.com/security-updates (MMSA-2026-00652). Note that exact patched release version numbers beyond the stated vulnerable upper bounds were not independently confirmed in the available data - consult the advisory page directly for the specific fixed release. As a compensating control pending upgrade, enforce endpoint policy or firewall rules restricting Mattermost Desktop App connections to only internally managed, trusted server instances; this removes the malicious-server-owner threat actor from the risk model entirely. Organizations operating Mattermost in a closed enterprise environment where all server connections are pre-approved face negligible residual risk even prior to patching.
More in Mattermost
View allDenial of service in linkify-it (npm) through v5.0.0 lets remote unauthenticated attackers wedge a rendering worker by s
A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large auto
Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded w
Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perf
Fleet is an open source osquery manager. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invit
Dex is a federated OpenID Connect provider written in Go. Rated critical severity (CVSS 9.6), this vulnerability is remo
Improper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers t
Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, wh
Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker posse
Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding gr
Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36732
GHSA-pf78-3frq-v82v