CVE-2026-2462

Summary

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to restrict plugin installation on CI test instances with default admin credentials which allows an unauthenticated attacker to achieve remote code execution and exfiltrate sensitive configuration data including AWS and SMTP credentials via uploading a malicious plugin after changing the import directory. Mattermost Advisory ID: MMSA-2025-00528

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost11.3.0 <= 11.3.0affected
MattermostMattermost11.2.0 <= 11.2.2affected
MattermostMattermost10.11.0 <= 10.11.10affected
MattermostMattermost11.4.0unaffected
MattermostMattermost11.3.1unaffected
MattermostMattermost11.2.3unaffected
MattermostMattermost10.11.11unaffected

Weaknesses

  • CWE-863: CWE-863: Incorrect Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References