CVE-2026-2462
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to restrict plugin installation on CI test instances with default admin credentials which allows an unauthenticated attacker to achieve remote code execution and exfiltrate sensitive configuration data including AWS and SMTP credentials via uploading a malicious plugin after changing the import directory. Mattermost Advisory ID: MMSA-2025-00528
Vendor
Product
CWE
Yayın Tarihi
2026-03-16 14:19:30
Güncelleme
2026-03-18 18:31:45
Source Identifier
responsibledisclosure@mattermost.com
KEV Date Added
-