Mattermost Desktop vulnerabilities

CVE-2026-1628 [MEDIUM] CWE-829 CVE-2026-1628: Mattermost Desktop App versions <=5.13.3 fail to attach listeners restricting navigation to external Mattermost Desktop App versions <=5.13.3 fail to attach listeners restricting navigation to external sites within the Mattermost app which allows a malicious server to expose preload script functionality to untrusted servers via having a user open an external link in their Mattermost server. Mattermost Advisory ID: MMSA-2026-00596

CVE-2026-1046 [HIGH] CWE-939 CVE-2026-1046: Mattermost Desktop App versions <=6.0 6.2.0 5.2.13.0 fail to validate help links which allows a mali Mattermost Desktop App versions <=6.0 6.2.0 5.2.13.0 fail to validate help links which allows a malicious Mattermost server to execute arbitrary executables on a user’s system via the user clicking on certain items in the Help menu Mattermost Advisory ID: MMSA-2026-00577

CVE-2025-13321 [LOW] CWE-532 CVE-2025-13321: Mattermost Desktop App versions <6.0.0 fail to sanitize sensitive information from Mattermost logs a Mattermost Desktop App versions <6.0.0 fail to sanitize sensitive information from Mattermost logs and clear data on server deletion which allows an attacker with access to the users system to gain access to potentially sensitive information via reading the application logs.

CVE-2025-13326 [LOW] CWE-693 CVE-2025-13326: Mattermost Desktop App versions <6.0.0 fail to enable the Hardened Runtime on the Mattermost Desktop Mattermost Desktop App versions <6.0.0 fail to enable the Hardened Runtime on the Mattermost Desktop App when packaged for Mac App Store which allows an attacker to inherit TCC permissions via copying the binary to a tmp folder.

CVE-2025-55035 [MEDIUM] CWE-754 CVE-2025-55035: Mattermost Desktop App versions <=5.13.0 fail to manage modals in the Mattermost Desktop App that st Mattermost Desktop App versions <=5.13.0 fail to manage modals in the Mattermost Desktop App that stops a user with a server that uses basic authentication from accessing their server which allows an attacker that provides a malicious server to the user to deny use of the Desktop App via having the user configure the malicious server and forcing a m

CVE-2025-58084 [LOW] CWE-1287 CVE-2025-58084: Mattermost Desktop App versions <= 5.13.0 fail to validate URLs external to the configured Mattermos Mattermost Desktop App versions <= 5.13.0 fail to validate URLs external to the configured Mattermost servers, allowing an attacker on a server the user has configured to crash the user's application by sending the user a malformed URL.

CVE-2025-1398 [LOW] CWE-426 CVE-2025-1398: Mattermost Desktop App versions <=5.10.0 explicitly declared unnecessary macOS entitlements which al Mattermost Desktop App versions <=5.10.0 explicitly declared unnecessary macOS entitlements which allows an attacker with remote access to bypass Transparency, Consent, and Control (TCC) via code injection.

CVE-2024-39613 [MEDIUM] CWE-427 CVE-2024-39613: Mattermost Desktop App versions <=5.8.0 fail to specify an absolute path when searching the cmd.exe Mattermost Desktop App versions <=5.8.0 fail to specify an absolute path when searching the cmd.exe file, which allows a local attacker who is able to put an cmd.exe file in the Downloads folder of a user's machine to cause remote code execution on that machine.

CVE-2024-39772 [LOW] CWE-284 CVE-2024-39772: Mattermost Desktop App versions <=5.8.0 fail to safeguard screen capture functionality which allows Mattermost Desktop App versions <=5.8.0 fail to safeguard screen capture functionality which allows an attacker to silently capture high-quality screenshots via JavaScript APIs.

CVE-2024-45835 [LOW] CWE-693 CVE-2024-45835: Mattermost Desktop App versions <=5.8.0 fail to sufficiently configure Electron Fuses which allows a Mattermost Desktop App versions <=5.8.0 fail to sufficiently configure Electron Fuses which allows an attacker to gather Chromium cookies or abuse other misconfigurations via remote/local access.

CVE-2024-37182 [MEDIUM] CWE-693 CVE-2024-37182: Mattermost Desktop App versions <=5.7.0 fail to correctly prompt for permission when opening externa Mattermost Desktop App versions <=5.7.0 fail to correctly prompt for permission when opening external URLs which allows a remote attacker to force a victim over the Internet to run arbitrary programs on the victim's system via custom URI schemes.

CVE-2024-36287 [LOW] CWE-693 CVE-2024-36287: Mattermost Desktop App versions <=5.7.0 fail to disable certain Electron debug flags which allows fo Mattermost Desktop App versions <=5.7.0 fail to disable certain Electron debug flags which allows for bypassing TCC restrictions on macOS.

CVE-2023-5875 [LOW] CWE-693 CVE-2023-5875: Mattermost Desktop fails to correctly handle permissions or prompt the user for consent on certain s Mattermost Desktop fails to correctly handle permissions or prompt the user for consent on certain sensitive ones allowing media exploitation from a malicious mattermost server

CVE-2023-5876 [LOW] CWE-400 CVE-2023-5876: Mattermost fails to properly validate a RegExp built off the server URL path, allowing an attacker i Mattermost fails to properly validate a RegExp built off the server URL path, allowing an attacker in control of an enrolled server to mount a Denial Of Service.

CVE-2023-5920 [LOW] CWE-200 CVE-2023-5920: Mattermost Desktop for MacOS fails to utilize the secure keyboard input functionality provided by ma Mattermost Desktop for MacOS fails to utilize the secure keyboard input functionality provided by macOS, allowing for other processes to read the keyboard input.

CVE-2023-5339 [MEDIUM] CWE-200 CVE-2023-5339: Mattermost Desktop fails to set an appropriate log level during initial run after fresh installation Mattermost Desktop fails to set an appropriate log level during initial run after fresh installation resulting in logging all keystrokes including password entry being logged.

CVE-2023-2000 [MEDIUM] CWE-601 CVE-2023-2000: Mattermost Desktop App fails to validate a mattermost server redirection and navigates to an arbitra Mattermost Desktop App fails to validate a mattermost server redirection and navigates to an arbitrary website

CVE-2019-20856 [CRITICAL] CWE-427 CVE-2019-20856: An issue was discovered in Mattermost Desktop App before 4.3.0 on macOS. It allows dylib injection. An issue was discovered in Mattermost Desktop App before 4.3.0 on macOS. It allows dylib injection.

CVE-2016-11064 [CRITICAL] CWE-94 CVE-2016-11064: An issue was discovered in Mattermost Desktop App before 3.4.0. Strings could be executed as code vi An issue was discovered in Mattermost Desktop App before 3.4.0. Strings could be executed as code via injection.

CVE-2019-20861 [HIGH] CVE-2019-20861: An issue was discovered in Mattermost Desktop App before 4.2.2. It allows attackers to execute arbit An issue was discovered in Mattermost Desktop App before 4.2.2. It allows attackers to execute arbitrary code via a crafted link.