Mattermost Desktop App versions up to and including 6.0, 6.2.0, and 5.2.13.0 fail to validate links presented in the Help menu. A remote Mattermost server can publish a URL that, when a user clicks it, triggers the desktop client to execute an arbitrary local program. This flaw derives from CWE‑939, which describes untrusted input leading to arbitrary code execution. The consequence is that a malicious server can run any program on the client machine with the user’s privileges, potentially compromising confidentiality, integrity, and availability.

The affected vendor is Mattermost; the product is the Mattermost Desktop App. All releases through 6.0, including the 6.2.0 build, and the 5.2.13.0 build are vulnerable. The advisory recommends updating to any supported release of 6.1.0, 6.0.3.0, 5.13.3.0, or higher to remove the flaw.

The CVSS score of 7.6 indicates a high severity vulnerability. The EPSS score is below 1 %, implying a very low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is remote, requiring a compromised Mattermost server to embed a malicious help‑menu link. The user must click the link; no additional authentication or privilege escalation is necessary beyond the existing user session. If the link is triggered, any executable specified in the URL is launched with the client’s user rights, providing the attacker full control over the affected machine.