CVE-2026-2462

EUVD-2026-12413
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to restrict plugin installation on CI test instances with default admin credentials which allows an unauthenticated attacker to achieve remote code execution and exfiltrate sensitive configuration data including AWS and SMTP credentials via uploading a malicious plugin after changing the import directory. Mattermost Advisory ID: MMSA-2025-00528
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
MattermostCNA
6.6 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 42%
Affected Products (NVD)
VendorProductVersion
mattermostmattermost_server
10.11.0 ≤
𝑥
< 10.11.11
mattermostmattermost_server
11.2.0 ≤
𝑥
< 11.2.3
mattermostmattermost_server
11.3.0 ≤
𝑥
< 11.3.1
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
mattermostmattermost
𝑥
≤ 11.3.0
CNA
mattermostmattermost
11.2.0 ≤
𝑥
≤ 11.2.2
CNA
mattermostmattermost
10.11.0 ≤
𝑥
≤ 10.11.10
CNA
Common Weakness Enumeration
References
https://mattermost.com/security-updates