CVE-2026-4643 PUBLISHED

Calling window.close() from server-side content causes crash in the Mattermost Desktop App

Assigner: Mattermost
Reserved: 23.03.2026 Published: 18.05.2026 Updated: 18.05.2026

Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent server-rendered content from closing an underlying application view in the Mattermost Desktop App which allows a malicious server or plugin to crash the desktop client via invoking {{window.close()}} in the renderer context, leading to a denial of service condition at the client level. Mattermost Advisory ID: MMSA-2026-00633

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
CVSS Score: 3.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	None
User Interaction	Required	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	Mattermost
Product	Mattermost
Versions	Default: unaffected affected from 0 to 6.0.1 (incl.) affected from 0 to 5.4.13 (incl.) Version 6.2.0 is unaffected Version 6.1.1.0 is unaffected Version 5.13.5.0 is unaffected

Solutions

Update Mattermost Desktop App to versions 6.2.0, 6.1.1.0, 5.13.5.0 or higher.

Credits

Devin Binnie finder

References

MMSA-2026-00633

Problem Types

CWE-754: Improper Check for Unusual or Exceptional Conditions CWE