CVE-2026-2462

Admin RCE via Malicious Plugin Upload on CI Test Instances

CVSS 6.6 MEDIUMEPSS 0.3%CWE-863

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 6.6EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Lifecycle

16 Mar 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to restrict plugin installation on CI test instances with default admin credentials which allows an unauthenticated attacker to achieve remote code execution and exfiltrate sensitive configuration data including AWS and SMTP credentials via uploading a malicious plugin after changing the import directory. Mattermost Advisory ID: MMSA-2025-00528

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L

Affected products

Mattermost · Mattermost

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://mattermost.com/security-updates