CVE-2026-2462

Source
https://cve.org/CVERecord?id=CVE-2026-2462
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2462.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-2462
Published
2026-03-16T12:00:21.069Z
Modified
2026-07-08T07:07:16.296894153Z
Severity
  • 6.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L CVSS Calculator
Summary
Admin RCE via Malicious Plugin Upload on CI Test Instances
Details

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to restrict plugin installation on CI test instances with default admin credentials which allows an unauthenticated attacker to achieve remote code execution and exfiltrate sensitive configuration data including AWS and SMTP credentials via uploading a malicious plugin after changing the import directory. Mattermost Advisory ID: MMSA-2025-00528

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "11.3.0"
                },
                {
                    "last_affected": "11.3.0"
                },
                {
                    "introduced": "11.2.0"
                },
                {
                    "last_affected": "11.2.2"
                },
                {
                    "introduced": "10.11.0"
                },
                {
                    "last_affected": "10.11.10"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/2xxx/CVE-2026-2462.json",
    "cna_assigner": "Mattermost",
    "cwe_ids": [
        "CWE-863"
    ]
}
References

Affected packages

Git / github.com/mattermost/mattermost

Affected ranges

Type
GIT
Repo
https://github.com/mattermost/mattermost
Events
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "10.11.0"
        },
        {
            "fixed": "10.11.11"
        },
        {
            "introduced": "11.2.0"
        },
        {
            "fixed": "11.2.3"
        },
        {
            "introduced": "11.3.0"
        },
        {
            "fixed": "11.3.1"
        }
    ]
}

Affected versions

@mattermost/client@10.*
@mattermost/client@10.11.0
@mattermost/client@11.*
@mattermost/client@11.3.0
@mattermost/types@10.*
@mattermost/types@10.11.0
@mattermost/types@11.*
@mattermost/types@11.3.0
mattermost-redux@10.*
mattermost-redux@10.11.0
mattermost-redux@11.*
mattermost-redux@11.3.0
v10.*
v10.11.0
v10.11.0-rc3
v10.11.1
v10.11.1-rc1
v10.11.10
v10.11.11-rc1
v10.11.2
v10.11.2-rc1
v10.11.2-rc2
v10.11.3
v10.11.4
v10.11.4-rc1
v10.11.4-rc2
v10.11.4-rc3
v10.11.5
v10.11.6
v10.11.7
v10.11.8
v10.11.9
v10.11.9-rc1
v11.*
v11.2.0
v11.2.1
v11.2.1-rc1
v11.2.2
v11.3.0
v11.3.0-rc3
v11.3.0-rc4
v11.3.1-rc1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2462.json"