Description
Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent server-rendered content from closing an underlying application view in the Mattermost Desktop App which allows a malicious server or plugin to crash the desktop client via invoking {{window.close()}} in the renderer context, leading to a denial of service condition at the client level. Mattermost Advisory ID: MMSA-2026-00633
Published: 2026-05-18
Score: 3.5 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Server-rendered content in the Mattermost Desktop App may invoke window.close on the renderer side, causing the client application to crash. This flaw results in a local denial of service condition, interrupting user activity without affecting any remote systems or other network services. The weakness arises from a lack of verification before allowing window.close to execute, which aligns with CWE-754.

Affected Systems

Mattermost Desktop App versions 6.1.0 and earlier, including 6.0.1 and 5.4.13.0, are affected. The vendor is Mattermost and the product is the Mattermost Desktop App.

Risk and Exploitability

The CVSS score of 3.5 indicates low severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector demands a malicious or compromised server or plugin that serves executable content to the client. Exploitation would require the client to load the content, so while exploitation is straightforward for a targeted user, broad remote exploitation is unlikely.

Generated by OpenCVE AI on May 18, 2026 at 10:21 UTC.

Remediation

Vendor Solution

Update Mattermost Desktop App to versions 6.2.0, 6.1.1.0, 5.13.5.0 or higher.

OpenCVE Recommended Actions

  • Apply the vendor patch by upgrading the Mattermost Desktop App to version 6.2.0, 6.1.1.0, 5.13.5.0 or later.
  • If an update is delayed, restrict or disable untrusted plugins that may inject server-rendered content into the desktop client.
  • Implement stricter content security policies on the server side to prevent execution of window.close or similar destructive calls from being delivered to the desktop app.

Generated by OpenCVE AI on May 18, 2026 at 10:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Mon, 18 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Mon, 18 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent server-rendered content from closing an underlying application view in the Mattermost Desktop App which allows a malicious server or plugin to crash the desktop client via invoking {{window.close()}} in the renderer context, leading to a denial of service condition at the client level. Mattermost Advisory ID: MMSA-2026-00633
Title Calling window.close() from server-side content causes crash in the Mattermost Desktop App
Weaknesses CWE-754
References
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L'}

Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-05-18T08:43:34.588Z

Reserved: 2026-03-23T11:42:45.791Z

Link: CVE-2026-4643

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-18T09:16:23.127

Modified: 2026-05-18T09:16:23.127

Link: CVE-2026-4643

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T10:30:23Z

Weaknesses