CVE-2026-2462

Name of the Vulnerable Software and Affected Versions Mattermost versions 10.11.x through 10.11.10 Mattermost versions 11.2.x through 11.2.2 Mattermost versions 11.3.x through 11.3.0

Description The software does not properly restrict plugin installation on CI test instances when using default administrator credentials. This allows an unauthenticated attacker to achieve remote code execution and potentially exfiltrate sensitive configuration data, including AWS and SMTP credentials. The attacker achieves this by uploading a malicious plugin after modifying the import directory.

Recommendations Mattermost versions 10.11.x through 10.11.10 should be updated to a newer, secure version. Mattermost versions 11.2.x through 11.2.2 should be updated to a newer, secure version. Mattermost versions 11.3.x through 11.3.0 should be updated to a newer, secure version.