CVE-2026-2462

216.73.217.22

· Published 16/03/2026 14:19 · Modified 16/03/2026 14:53

Labels: CVE-2026-2462 2026-03-16 CVE-2026-2462 CWE-863 [email protected]

Essential information

Published: 16/03/2026 14:19
Modified: 16/03/2026 14:53
Author: —
Creator: —
CVSS: 6.6 MEDIUM (v3.1)
CISA KEV: No
CWE: —
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L

CVSS metrics

Description

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to restrict plugin installation on CI test instances with default admin credentials which allows an unauthenticated attacker to achieve remote code execution and exfiltrate sensitive configuration data including AWS and SMTP credentials via uploading a malicious plugin after changing the import directory. Mattermost Advisory ID: MMSA-2025-00528

NVD status

Status: Undergoing Analysis — CVE is currently being analyzed by NVD staff, this process results in association of reference link tags, CVSS scores, CWE association, and CPE applicability statements.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
mattermost / mattermost	`cpe:2.3:a:mattermost:mattermost:11.3.0:::::::*`
mattermost / mattermost	`cpe:2.3:a:mattermost:mattermost:11.2.2:::::::*`
mattermost / mattermost	`cpe:2.3:a:mattermost:mattermost:10.11.10:::::::*`