CVE-2026-1628 PUBLISHED

Mattermost allows external websites to open within the app, exposing preload functionality to non-trusted sites.

Assigner: Mattermost
Reserved: 29.01.2026 Published: 02.03.2026 Updated: 02.03.2026

Mattermost Desktop App versions <=5.13.3 fail to attach listeners restricting navigation to external sites within the Mattermost app which allows a malicious server to expose preload script functionality to untrusted servers via having a user open an external link in their Mattermost server. Mattermost Advisory ID: MMSA-2026-00596

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
CVSS Score: 4.6

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	Low
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Mattermost
Product	Mattermost
Versions	Default: unaffected affected from 0 to 5.13.3 (incl.) Version 5.13.4.0 is unaffected

Solutions

Update Mattermost Desktop App to versions 5.13.4.0 or higher.

Credits

N/A finder

References

MMSA-2026-00596

Problem Types

CWE-829: Inclusion of Functionality from Untrusted Control Sphere CWE