CVE-2026-2462
- Source
- https://cve.org/CVERecord?id=CVE-2026-2462
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2462.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-2462
- Published
- 2026-03-16T14:19:30.010Z
- Modified
- 2026-04-10T05:39:28.551612Z
- Severity
-
- 6.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L CVSS Calculator
- Summary
- [none]
- Details
-
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to restrict plugin installation on CI test instances with default admin credentials which allows an unauthenticated attacker to achieve remote code execution and exfiltrate sensitive configuration data including AWS and SMTP credentials via uploading a malicious plugin after changing the import directory. Mattermost Advisory ID: MMSA-2025-00528
- References
Affected packages
Git / github.com/mattermost/mattermost-server
Affected versions
@mattermost/client@10.*
@mattermost/client@10.11.0
@mattermost/client@11.*
@mattermost/client@11.3.0
@mattermost/types@10.*
@mattermost/types@10.11.0
@mattermost/types@11.*
@mattermost/types@11.3.0
mattermost-redux@10.*
mattermost-redux@10.11.0
mattermost-redux@11.*
mattermost-redux@11.3.0
v10.*
v10.11.0
v10.11.0-rc3
v10.11.1
v10.11.1-rc1
v10.11.10
v10.11.11-rc1
v10.11.2
v10.11.2-rc1
v10.11.2-rc2
v10.11.3
v10.11.4
v10.11.4-rc1
v10.11.4-rc2
v10.11.4-rc3
v10.11.5
v10.11.6
v10.11.7
v10.11.8
v10.11.9
v10.11.9-rc1
v11.*
v11.2.0
v11.2.1
v11.2.1-rc1
v11.2.2
v11.3.0
v11.3.0-rc3
v11.3.0-rc4
v11.3.1-rc1