CVE-2026-1046
Arbitrary Code Execution via Help Link Validation Flaw in Mattermost Desktop
Publication date: 2026-02-16
Last updated on: 2026-03-23
Assigner: Mattermost, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | mattermost_desktop | From 6.0.0 (inc) to 6.0.3 (exc) |
| mattermost | mattermost_desktop | From 5.13.2 (inc) to 5.13.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-939 | The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Mattermost Desktop App versions up to 6.0, 6.2.0, and 5.2.13.0. The application fails to properly validate help links, which allows a malicious Mattermost server to execute arbitrary executables on a user's system if the user clicks on certain items in the Help menu.
How can this vulnerability impact me? :
The vulnerability can lead to arbitrary code execution on the user's system. This means that an attacker controlling a malicious Mattermost server could potentially run harmful programs on the user's device when the user interacts with specific Help menu items, potentially compromising system security and data integrity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know