Mattermost Desktop App <=6.1 Crash via window.close() in Renderer
CVE-2026-4643 Published on May 18, 2026
Calling window.close() from server-side content causes crash in the Mattermost Desktop App
Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent server-rendered content from closing an underlying application view in the Mattermost Desktop App which allows a malicious server or plugin to crash the desktop client via invoking {{window.close()}} in the renderer context, leading to a denial of service condition at the client level. Mattermost Advisory ID: MMSA-2026-00633
Vulnerability Analysis
CVE-2026-4643 can be exploited with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a small impact on availability.
Weakness Type
Improper Check for Unusual or Exceptional Conditions
The software does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the software.
Products Associated with CVE-2026-4643
Want to know whenever a new CVE is published for MatterMost? stack.watch will email you.
Affected Versions
Mattermost:- Before and including 6.0.1 is affected.
- Before and including 5.4.13 is affected.
- Version 6.2.0 is unaffected.
- Version 6.1.1.0 is unaffected.
- Version 5.13.5.0 is unaffected.