CVE-2026-3471
Analyzed Analyzed - Analysis Complete
Mattermost Desktop App URL Spoofing Vulnerability

Publication date: 2026-05-18

Last updated on: 2026-06-05

Assigner: Mattermost, Inc.

Description
Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent an invalid URL from loading in a pop-up window in the Mattermost Desktop App which allows a malicious server owner to repeated crash the application via calling {{window.open('javascript:alert()');}}. Mattermost Advisory ID: MMSA-2026-00618
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-18
Last Modified
2026-06-05
Generated
2026-06-10
AI Q&A
2026-05-18
EPSS Evaluated
2026-06-08
NVD
CVE-2026-3471
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
mattermost mattermost_desktop to 5.4.13.0 (inc)
mattermost mattermost_desktop From 6.1.0 (inc) to 6.2.0 (exc)
mattermost mattermost_desktop From 6.0.0 (inc) to 6.0.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-939 The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Mattermost Desktop App versions up to 6.1, 6.0.1, and 5.4.13.0. The application fails to prevent an invalid URL from loading in a pop-up window. Specifically, a malicious server owner can exploit this by causing the app to repeatedly open a pop-up window with a URL like javascript:alert(), which leads to crashing the application.

Impact Analysis

The impact of this vulnerability is that a malicious server owner can cause the Mattermost Desktop App to crash repeatedly by exploiting the invalid URL loading in pop-up windows. This results in a denial of service (DoS) condition for users of the affected versions, disrupting normal use of the application.

Mitigation Strategies

To mitigate this vulnerability, you should update the Mattermost Desktop App to a version later than 6.1, 6.0.1, or 5.4.13.0, as these versions fail to prevent an invalid URL from loading in a pop-up window which can be exploited to crash the application.

Stay informed about security updates by subscribing to Mattermost's Security Bulletin and regularly checking their security updates page.

Detection Guidance

This vulnerability involves the Mattermost Desktop App versions <=6.1, 6.0.1, and 5.4.13.0 failing to prevent an invalid URL from loading in a pop-up window, which can be exploited by a malicious server owner to repeatedly crash the application.

To detect if your system is vulnerable, first verify the version of the Mattermost Desktop App installed on your system.

  • Check the Mattermost Desktop App version installed. For example, on Windows, you can check the version via the application 'About' menu or by inspecting the executable properties.
  • On Linux or macOS, you might run commands like `mattermost --version` or check the application info if available.

Since the vulnerability is triggered by loading a specific invalid URL in a pop-up window, network detection could involve monitoring for unusual or repeated attempts to load URLs with the pattern `javascript:alert()` or similar suspicious JavaScript URLs in pop-up windows initiated by the Mattermost Desktop App.

However, no specific detection commands or network signatures are provided in the available resources.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3471. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart