CVE-2026-3471
Mattermost Desktop App URL Spoofing Vulnerability
Publication date: 2026-05-18
Last updated on: 2026-05-18
Assigner: Mattermost, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | desktop_app | to 6.1 (inc) |
| mattermost | desktop_app | 6.0.1 |
| mattermost | desktop_app | 5.4.13.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-939 | The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Mattermost Desktop App versions up to 6.1, 6.0.1, and 5.4.13.0. The application fails to prevent an invalid URL from loading in a pop-up window. Specifically, a malicious server owner can exploit this by causing the app to repeatedly open a pop-up window with a URL like javascript:alert(), which leads to crashing the application.
How can this vulnerability impact me? :
The impact of this vulnerability is that a malicious server owner can cause the Mattermost Desktop App to crash repeatedly by exploiting the invalid URL loading in pop-up windows. This results in a denial of service (DoS) condition for users of the affected versions, disrupting normal use of the application.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the Mattermost Desktop App to a version later than 6.1, 6.0.1, or 5.4.13.0, as these versions fail to prevent an invalid URL from loading in a pop-up window which can be exploited to crash the application.
Stay informed about security updates by subscribing to Mattermost's Security Bulletin and regularly checking their security updates page.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the Mattermost Desktop App versions <=6.1, 6.0.1, and 5.4.13.0 failing to prevent an invalid URL from loading in a pop-up window, which can be exploited by a malicious server owner to repeatedly crash the application.
To detect if your system is vulnerable, first verify the version of the Mattermost Desktop App installed on your system.
- Check the Mattermost Desktop App version installed. For example, on Windows, you can check the version via the application 'About' menu or by inspecting the executable properties.
- On Linux or macOS, you might run commands like `mattermost --version` or check the application info if available.
Since the vulnerability is triggered by loading a specific invalid URL in a pop-up window, network detection could involve monitoring for unusual or repeated attempts to load URLs with the pattern `javascript:alert()` or similar suspicious JavaScript URLs in pop-up windows initiated by the Mattermost Desktop App.
However, no specific detection commands or network signatures are provided in the available resources.