PT-2026-25700 · Mattermost · Mattermost
Daw10
·
Published
2026-02-13
·
Updated
2026-03-16
·
CVE-2026-2462
CVSS v3.1
6.6
Medium
| Vector | AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
Mattermost versions 10.11.x through 10.11.10
Mattermost versions 11.2.x through 11.2.2
Mattermost versions 11.3.x through 11.3.0
Description
The software does not properly restrict plugin installation on CI test instances when using default administrator credentials. This allows an unauthenticated attacker to achieve remote code execution and potentially exfiltrate sensitive configuration data, including AWS and SMTP credentials. The attacker achieves this by uploading a malicious plugin after modifying the import directory.
Recommendations
Mattermost versions 10.11.x through 10.11.10 should be updated to a newer, secure version.
Mattermost versions 11.2.x through 11.2.2 should be updated to a newer, secure version.
Mattermost versions 11.3.x through 11.3.0 should be updated to a newer, secure version.
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mattermost