CVE-2026-1046
CVE-2026-1046 is a high-severity vulnerability in Mattermost Mattermost Desktop with a CVSS 3.x base score of 7.6. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-939.
Key facts
- Severity: High (CVSS 3.x base score 7.6)
- EPSS exploit prediction: 0% (14th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-6090
- Weakness: CWE-939
- Affected product: Mattermost Mattermost Desktop
- Published:
- Last modified:
Description
Mattermost Desktop App versions <=6.0 6.2.0 5.2.13.0 fail to validate help links which allows a malicious Mattermost server to execute arbitrary executables on a user’s system via the user clicking on certain items in the Help menu Mattermost Advisory ID: MMSA-2026-00577
Frequently asked questions
- What is CVE-2026-1046?
- Mattermost Desktop App versions <=6.0 6.2.0 5.2.13.0 fail to validate help links which allows a malicious Mattermost server to execute arbitrary executables on a user’s system via the user clicking on certain items in the Help menu Mattermost Advisory ID: MMSA-2026-00577
- How severe is CVE-2026-1046?
- CVE-2026-1046 has a CVSS 3.x base score of 7.6, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and user interaction. Impact on confidentiality is high, integrity none, and availability low.
- Is CVE-2026-1046 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (14th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-1046?
- CVE-2026-1046 affects Mattermost Mattermost Desktop. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-1046?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2026-1046 have an EU (EUVD) identifier?
- Yes. CVE-2026-1046 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-6090.
- When was CVE-2026-1046 published?
- CVE-2026-1046 was published on 2026-02-16 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:a:mattermost:mattermost_desktop:*:*:*:*:*:*:*:*
More vulnerabilities in Mattermost Mattermost Desktop
- CVE-2016-11064 — Critical (CVSS 9.8): An issue was discovered in Mattermost Desktop App before 3.4.0. Strings could be executed as code via injection.
- CVE-2019-20856 — Critical (CVSS 9.8): An issue was discovered in Mattermost Desktop App before 4.3.0 on macOS. It allows dylib injection.
- CVE-2019-20861 — High (CVSS 8.8): An issue was discovered in Mattermost Desktop App before 4.2.2. It allows attackers to execute arbitrary code via a…
- CVE-2020-14456 — High (CVSS 7.3): An issue was discovered in Mattermost Desktop App before 4.4.0. The Same Origin Policy is mishandled during…
- CVE-2026-8683 — Medium (CVSS 6.5): Mattermost Desktop App versions <=6.1 5.5.13.0 fail to account for attempting to open extremely long URLs in the…
- CVE-2026-3471 — Medium (CVSS 6.5): Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent an invalid URL from loading in a pop-up window in…
All CVEs affecting Mattermost Mattermost Desktop →
Other CWE-939 vulnerabilities
- CVE-2024-33606 — High (CVSS 8.8): An attacker could retrieve sensitive files (medical images) as well as plant new medical images or overwrite existing…
- CVE-2026-6445 — High (CVSS 8.7): A flaw exists in FlashArray Purity where insufficient filtering of certain data paths could expose sensitive…
- CVE-2026-35394 — High (CVSS 8.3): Mobile Next is an MCP server for mobile development and automation. Prior to 0.0.50, the mobile_open_url tool in…
- CVE-2026-53408 — High (CVSS 8.1): Improper Authorization in Handler for Custom URL Scheme in Zoom Workplace before version 7.0.4 for Android and before…
- CVE-2026-53407 — High (CVSS 8.1): Improper Authorization in Handler for Custom URL Scheme in Zoom Workplace before version 7.0.4 for Android and before…
- CVE-2026-33335 — High (CVSS 8.0): Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0,…