Mattermost Desktop App versions <=6.1 5.5.13.0 fail to restrict the allow list of domains to which NTLM credentials were forwarded to in the Mattermost Desktop App which allows any user on a server without the image proxy enabled to intercept other users credentials via embedding an image that routes to an external web server. Mattermost Advisory ID: MMSA-2026-00651
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:NMattermost Desktop
APPMattermost≤ 5.13.06.1.0 – 6.1.5
Related vulnerabilities
An issue was discovered in Mattermost Desktop App before 3.4.0. Strings could be executed as code via injectio...
An issue was discovered in Mattermost Desktop App before 4.3.0 on macOS. It allows dylib injection.
Mattermost Desktop App versions <=6.0 6.2.0 5.2.13.0 fail to validate help links which allows a malicious Matt...
An issue was discovered in Mattermost Desktop App before 4.2.2. It allows attackers to execute arbitrary code ...
An issue was discovered in Mattermost Desktop App before 4.4.0. The Same Origin Policy is mishandled during ac...