CVE-2026-2462

CWE-863Incorrect Authorization3 documents3 sources
Severity
6.6MEDIUM
EPSS
0.2%
top 60.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mattermost Mattermost ServerMattermost Mattermost
Timeline
PublishedMar 16

Description

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to restrict plugin installation on CI test instances with default admin credentials which allows an unauthenticated attacker to achieve remote code execution and exfiltrate sensitive configuration data including AWS and SMTP credentials via uploading a malicious plugin after changing the import directory. Mattermost Advisory ID: MMSA-2025-00528

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:LExploitability: 2.3 | Impact: 3.7

Affected Packages2 packages

NVDmattermost/mattermost_server10.11.010.11.11+2
CVEListV5mattermost/mattermost11.3.011.3.0+2

🔴Vulnerability Details

2
GHSA
GHSA-fprx-ppqr-8wgf: Mattermost versions 112026-03-16
CVEList
Admin RCE via Malicious Plugin Upload on CI Test Instances2026-03-16
CVE-2026-2462 (MEDIUM CVSS 6.6) | Mattermost versions 11.3.x <= 11.3. | cvebase.io