CVE-2026-1046Improper Authorization in Handler for Custom URL Scheme in Desktop

CWE-939Improper Authorization in Handler for Custom URL Scheme4 documents4 sources
Severity
6.5MEDIUMNVD
CNA7.6
EPSS
0.0%
top 88.45%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mattermost DesktopMattermost
Timeline
PublishedFeb 16

Description

Mattermost Desktop App versions <=6.0 6.2.0 5.2.13.0 fail to validate help links which allows a malicious Mattermost server to execute arbitrary executables on a user’s system via the user clicking on certain items in the Help menu Mattermost Advisory ID: MMSA-2026-00577

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDmattermost/mattermost_desktop5.13.25.13.3+1
CVEListV5mattermost/mattermost6.2.0+1

🔴Vulnerability Details

2
CVEList
Arbitrary application execution via unvalidated server-controlled URLs in Help menu2026-02-16
GHSA
GHSA-gjx5-j34g-5g5p: Mattermost Desktop App versions <=62026-02-16

🕵️Threat Intelligence

1
Wiz
CVE-2026-1046 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-1046 — Mattermost Desktop vulnerability | cvebase