CVE-2026-8683 - Vulnerability Details

- Overly long URLs crash the Mattermost Desktop App

Description

Mattermost Desktop App versions <=6.1 5.5.13.0 fail to account for attempting to open extremely long URLs in the Mattermost Desktop App which allows a malicious server owner to crash the application via including a script to call window.open on a very large URL. Mattermost Advisory ID: MMSA-2026-00652

Published: 2026-06-15

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Mattermost Desktop App versions up to 6.1 or 5.5.13.0 treat URLs that exceed internal limits as valid, allowing a script that executes Window.open on an excessively long URL to be delivered from a malicious server. The oversized URL causes the app to crash, creating a denial‑of‑service condition for the affected user. This weakness is identified as CWE‑770 – Excessive Resource Consumption.

Affected Systems

The vulnerability exists in Mattermost’s Desktop App for Windows, macOS, and Linux. Versions 6.1 and earlier, including 5.5.13.0, are affected. Users who run these versions on client machines with network access to an attacker‑controlled server are at risk.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS score is below 1 %, suggesting that exploitation is uncommon. The vulnerability is not included in CISA’s KEV list. The attack requires the user to open a malicious link or visit a site that serves the oversized URL; therefore, the vector is network‑based and user interaction is needed. While the risk is moderate, the impact of an application crash can be disruptive for teams relying on Mattermost for daily communication.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mattermost

unaffected

Version	Status	Constraints
`0`	affected	≤ 5.5.13
`6.2.0`	unaffected	—
`5.13.6.0`	unaffected	—

Configuration 1 [-]

OR	cpe:2.3:a:mattermost:mattermost_desktop::-::::::*
	cpe:2.3:a:mattermost:mattermost_desktop::::::::

No data.

Vendor Product Confidence Versions

Mattermost

100%

Version	Status	Scheme	Platform
`[0,5.5.13]`	affected	semver	—
`6.2.0`	unaffected	semver	—
`5.13.6.0`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Update Mattermost Desktop App to versions 6.2.0, 5.13.6.0 or higher.

OpenCVE Recommended Actions

Update Mattermost Desktop App to version 6.2.0 or later, or to 5.13.6.0 or later, as released by the vendor.
After applying the patch, close and restart any open instances of the Mattermost Desktop App to ensure the new code is loaded.
Use network monitoring or application firewall rules to detect unusually large HTTP requests and log them, providing an additional early warning for malicious activity.

Generated by OpenCVE AI on June 16, 2026 at 20:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00199.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://mattermost.com/security-updates

History

Tue, 16 Jun 2026 17:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mattermost mattermost Desktop
CPEs		cpe:2.3:a:mattermost:mattermost_desktop:::::::: cpe:2.3:a:mattermost:mattermost_desktop::-::::::*
Vendors & Products		Mattermost mattermost Desktop

Tue, 16 Jun 2026 08:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mattermost Mattermost mattermost
Vendors & Products		Mattermost Mattermost mattermost

Mon, 15 Jun 2026 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 15 Jun 2026 16:00:00 +0000

Type	Values Removed	Values Added
Description		Mattermost Desktop App versions <=6.1 5.5.13.0 fail to account for attempting to open extremely long URLs in the Mattermost Desktop App which allows a malicious server owner to crash the application via including a script to call window.open on a very large URL. Mattermost Advisory ID: MMSA-2026-00652
Title		Overly long URLs crash the Mattermost Desktop App
Weaknesses		CWE-770
References		https://mattermost.com/security-updates
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}`

Subscriptions

Mattermost Mattermost Mattermost Desktop

MITRE

Status: PUBLISHED

Assigner: Mattermost

Published: 2026-06-15T14:06:21.686Z

Updated: 2026-06-15T16:06:03.652Z

Reserved: 2026-05-15T14:13:41.661Z

Link: CVE-2026-8683

Vulnrichment

Updated: 2026-06-15T16:05:35.592Z

NVD

Status : Analyzed

Published: 2026-06-15T16:16:34.700

Modified: 2026-06-16T17:18:55.223

Link: CVE-2026-8683

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-16T20:45:02Z

Weaknesses

CWE-770
Allocation of Resources Without Limits or Throttling

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object