CVE-2026-1046: Mattermost Desktop App

Vendor-confirmed - CVE-2026-1046 is a high arbitrary code execution vulnerability in Mattermost Desktop App versions 6.0.0 and earlier, 6.2.0, and 5.2.13.0 that grants a malicious or compromised server the ability to execute arbitrary programs on the user’s Windows system via tampered Help menu links. Users must immediately upgrade to the latest patched version to prevent full system compromise.

Security Advisory: Arbitrary Code Execution via Help Menu Links in Mattermost Desktop App

Overview

A critical vulnerability exists in specific versions of the Mattermost Desktop application. The flaw is a lack of proper validation for links within the application’s Help menu. This allows a malicious or compromised Mattermost server to inject code that, when a user clicks on a tampered Help menu item, can execute arbitrary programs on the user’s Windows system.

Vulnerability Details

The Mattermost Desktop App is a client application for accessing Mattermost team collaboration servers. In affected versions, the application does not properly check or sanitize the destination of links placed in the Help menu by the server it is connected to. An attacker with control over a Mattermost server (e.g., a malicious public server or a compromised internal server) can craft a specially configured Help menu item.

When an unsuspecting user clicks this item, the application will execute a specified program from the local file system without adequate security warnings. This bypasses normal user consent mechanisms and can lead to a full system compromise.

Affected Versions:

• Mattermost Desktop App versions 6.0.0 and earlier
• Version 6.2.0
• Version 5.2.13.0

Mattermost Advisory ID: MMSA-2026-00577 CVE Identifier: CVE-2026-1046 Severity: HIGH (CVSS Score: 7.6)

Potential Impact

If successfully exploited, this vulnerability allows an attacker to run any executable file present on the victim’s Windows computer. This could lead directly to:

• Full System Takeover: Installation of malware, ransomware, or spyware.
• Data Theft: Exfiltration of sensitive files, credentials, or communications.
• Persistence: Establishment of backdoor access for ongoing attacks.
• Lateral Movement: Using the compromised machine to attack other systems on the network.

The attack requires user interaction (a click), but the action appears within the trusted interface of a legitimate application, making it highly plausible.

Remediation and Mitigation

Immediate Action Required:

1. Update the Desktop App: All users must upgrade to a patched version of the Mattermost Desktop App immediately. The Mattermost team has released fixed versions. Check the official Mattermost download portal for the latest secure release.
2. Verify Server Integrity: System administrators should audit their Mattermost server instances for signs of compromise, as this vulnerability is exploited via server-side configuration. Ensure your server software is also up-to-date.

Mitigation Steps (If Immediate Update is Not Possible):

• User Awareness: Advise users to exercise extreme caution and avoid clicking any items in the Help menu of the Mattermost Desktop App until the application is updated.
• Restrict Server Connections: Instruct users to only connect to known, trusted, and organizationally-managed Mattermost servers. The risk is significantly higher when connecting to unknown or public servers.
• Network Controls: Consider implementing network segmentation or rules that limit desktop app connections to authorized Mattermost servers only.

For the latest information and official patches, always refer to the security advisory published by Mattermost.