VDB
CVE-2026-2462
CVE-2026-2462
PUBLISHED
CVSS 6.599999904632568 MEDIUM
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to restrict plugin installation on CI test instances with default admin credentials which allows an unauthenticated attacker to achieve remote code execution and exfiltrate sensitive configuration data including AWS and SMTP credentials via uploading a malicious plugin after changing the import directory. Mattermost Advisory ID: MMSA-2025-00528
EPSS 0.20% · 42.6th percentile
Risk Scores
CVSS 3.1
6.599999904632568
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
EPSS Score
0.20%
42.6th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mattermost | Mattermost | 10.11.11, 11.4.0, 11.3.1 |
| mattermost | mattermost_server | 11.2.0, 11.3.0, 10.11.0 |
Exploit Intelligence
- CIRCL seen: CVE-2026-2462 (circl-sighting)
- MMSA-2026-00571 (circl)
- CIRCL seen: CVE-2026-2456 (circl-sighting)
Timeline
- Feb 16, 2026 CVE Published
- Feb 16, 2026 PoC Published
- Mar 17, 2026 EPSS Score
- Mar 18, 2026 EPSS Score
- Mar 18, 2026 CVE Updated
- Mar 19, 2026 EPSS Score
- Mar 20, 2026 EPSS Score
- Mar 21, 2026 EPSS Score
- Mar 22, 2026 EPSS Score
- Mar 22, 2026 Coalition ESS Score
- Mar 23, 2026 EPSS Score
- Mar 24, 2026 EPSS Score
References
- https://mattermost.com/security-updates/ advisory
- MMSA-2026-00571 vendor-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-2462 advisory