CVE-2025-13326 - Vulnerability Details - OpenCVE

Mattermost Desktop App versions <6.0.0 fail to enable the Hardened Runtime on the Mattermost Desktop App when packaged for Mac App Store which allows an attacker to inherit TCC permissions via copying the binary to a tmp folder.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

Update Mattermost Desktop App to versions 6.0.0 or higher.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://mattermost.com/security-updates

History

Wed, 17 Dec 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 17 Dec 2025 18:30:00 +0000

Type	Values Removed	Values Added
Description		Mattermost Desktop App versions <6.0.0 fail to enable the Hardened Runtime on the Mattermost Desktop App when packaged for Mac App Store which allows an attacker to inherit TCC permissions via copying the binary to a tmp folder.
Title		Mattermost Desktop App fails to enable Hardened Runtime when packaged for Mac App Store
Weaknesses		CWE-693
References		https://mattermost.com/security-updates
Metrics		cvssV3_1 `{'score': 3.9, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: Mattermost

Published: 2025-12-17T18:14:14.131Z

Updated: 2025-12-17T19:29:30.738Z

Reserved: 2025-11-17T17:28:35.075Z

Link: CVE-2025-13326

Vulnrichment

Updated: 2025-12-17T18:52:19.915Z

NVD

Status : Received

Published: 2025-12-17T19:16:01.237

Modified: 2025-12-17T19:16:01.237

Link: CVE-2025-13326

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-693

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13326", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2025-11-17T17:28:35.075Z", "datePublished": "2025-12-17T18:14:14.131Z", "dateUpdated": "2025-12-17T19:29:30.738Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "6.0.0", "status": "affected", "version": "0", "versionType": "semver"}, {"version": "6.0.0", "status": "unaffected"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Karmaz95"}], "descriptions": [{"lang": "en", "value": "Mattermost Desktop App versions <6.0.0 fail to enable the Hardened Runtime on the Mattermost Desktop App when packaged for Mac App Store which allows an attacker to inherit TCC permissions via copying the binary to a tmp folder."}], "metrics": [{"cvssV3_1": {"attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "baseSeverity": "LOW", "baseScore": 3.9}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-693: Protection Mechanism Failure", "cweId": "CWE-693"}]}], "references": [{"url": "https://mattermost.com/security-updates"}], "solutions": [{"value": "Update Mattermost Desktop App to versions 6.0.0 or higher.", "lang": "en"}], "source": {"advisory": "MMSA-2025-00504", "defect": ["https://mattermost.atlassian.net/browse/MM-64731"], "discovery": "EXTERNAL"}, "title": "Mattermost Desktop App fails to enable Hardened Runtime when packaged for Mac App Store", "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2025-12-17T18:14:14.131Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-17T18:52:17.808716Z", "id": "CVE-2025-13326", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-17T19:29:30.738Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13326", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-17T18:52:17.808716Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-17T18:52:19.915Z"}}], "cna": {"title": "Mattermost Desktop App fails to enable Hardened Runtime when packaged for Mac App Store", "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-64731"], "advisory": "MMSA-2025-00504", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Karmaz95"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.9, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mattermost", "product": "Mattermost", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "6.0.0"}, {"status": "unaffected", "version": "6.0.0"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update Mattermost Desktop App to versions 6.0.0 or higher."}], "references": [{"url": "https://mattermost.com/security-updates"}], "descriptions": [{"lang": "en", "value": "Mattermost Desktop App versions <6.0.0 fail to enable the Hardened Runtime on the Mattermost Desktop App when packaged for Mac App Store which allows an attacker to inherit TCC permissions via copying the binary to a tmp folder."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-693", "description": "CWE-693: Protection Mechanism Failure"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2025-12-17T18:14:14.131Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13326", "state": "PUBLISHED", "dateUpdated": "2025-12-17T19:29:30.738Z", "dateReserved": "2025-11-17T17:28:35.075Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2025-12-17T18:14:14.131Z", "assignerShortName": "Mattermost"}, "dataVersion": "5.2"}