Mattermost Desktop App <=6.0 Help Link RCE CVE-2026-1046 via Malicious Server
CVE-2026-1046 Published on February 16, 2026
Arbitrary application execution via unvalidated server-controlled URLs in Help menu
Mattermost Desktop App versions <=6.0 6.2.0 5.2.13.0 fail to validate help links which allows a malicious Mattermost server to execute arbitrary executables on a users system via the user clicking on certain items in the Help menu Mattermost Advisory ID: MMSA-2026-00577
Vulnerability Analysis
CVE-2026-1046 is exploitable with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and a small impact on availability.
Weakness Type
Improper Authorization in Handler for Custom URL Scheme
The software uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme. Mobile platforms and other architectures allow the use of custom URL schemes to facilitate communication between applications. In the case of iOS, this is the only method to do inter-application communication. The implementation is at the developer's discretion which may open security flaws in the application. An example could be potentially dangerous functionality such as modifying files through a custom URL scheme.
Products Associated with CVE-2026-1046
stack.watch emails you whenever new vulnerabilities are published in MatterMost or Mattermost Desktop. Just hit a watch button to start following.
Affected Versions
Mattermost:- Before and including 6.2.0 is affected.
- Before and including 5.2.13 is affected.
- Version 6.1.0 is unaffected.
- Version 6.0.3.0 is unaffected.
- Version 5.13.3.0 is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.