CVE-2026-1046 HIGH

CVE-2026-1046: Arbitrary application execution via unvalidated server-controlled URLs in Help menu

Vendor Mattermost
Product Mattermost
Weakness CWE-939
Published February 16, 2026
Last update February 17, 2026

CVSS base score

7.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:L

What the vulnerability does

01Description

Mattermost Desktop App versions <=6.0 6.2.0 5.2.13.0 fail to validate help links which allows a malicious Mattermost server to execute arbitrary executables on a user’s system via the user clicking on certain items in the Help menu Mattermost Advisory ID: MMSA-2026-00577

Key dates

02Disclosure timeline

February 16, 2026 CVE published
February 17, 2026 Record updated