PatchSiren cyber security CVE debrief
CVE-2026-3471 Mattermost CVE debrief
CVE-2026-3471 is a medium-severity denial-of-service issue in the Mattermost Desktop App. According to the CVE description, the app fails to block an invalid URL from loading inside a pop-up window, which can let a malicious server owner repeatedly crash the application by invoking window.open('javascript:alert()');. The issue was publicly disclosed on 2026-05-18 and is associated with Mattermost advisory MMSA-2026-00618.
- Vendor
- Mattermost
- Product
- Unknown
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-18
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-18
- Advisory updated
- 2026-05-18
Who should care
Administrators and users of the Mattermost Desktop App should care, especially in environments where users connect to servers they do not fully control. Security teams should also review any deployment that relies on the desktop client for daily access, because the impact is application crashes rather than data theft or code execution.
Technical summary
The vulnerability is a client-side URL handling flaw in the Mattermost Desktop App. The app does not adequately prevent an invalid URL from being loaded in a pop-up window. NVD records the weakness as CWE-939 and lists a CVSS 3.1 vector of AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, which matches a user-interaction-dependent denial-of-service condition. The supplied description indicates that malicious server-side content can trigger repeated crashes through a javascript: URL in window.open().
Defensive priority
Moderate. This is not a known-exploitation or data-compromise issue in the supplied record, but it can repeatedly disrupt desktop client availability for affected users. Prioritize remediation sooner in environments where the Mattermost Desktop App is broadly deployed or where users connect to untrusted or externally managed servers.
Recommended defensive actions
- Review whether your environment uses affected Mattermost Desktop App releases referenced in the advisory and CVE description.
- Upgrade to a Mattermost Desktop App version that includes the vendor fix once confirmed by the official security update.
- Limit trust in server-controlled pop-up behavior in desktop clients, especially when users can join externally managed Mattermost servers.
- Monitor help-desk and endpoint telemetry for repeated Mattermost Desktop App crashes after connecting to specific servers.
- Track Mattermost security updates and advisory MMSA-2026-00618 for vendor guidance and fixed-version information.
Evidence notes
Primary evidence comes from the NVD CVE record and its linked Mattermost security update reference. The CVE description states that the Mattermost Desktop App fails to prevent an invalid URL from loading in a pop-up window and that a malicious server owner can repeatedly crash the application via window.open('javascript:alert()');. NVD also lists CWE-939 and a CVSS 3.1 score of 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H). The vendor attribution in the supplied metadata is low confidence, so the product is described conservatively as the Mattermost Desktop App based on the CVE text and official reference.
Official resources
-
CVE-2026-3471 CVE record
CVE.org
-
CVE-2026-3471 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Publicly disclosed on 2026-05-18 09:16:22.847Z. Mattermost advisory ID: MMSA-2026-00618. NVD records the CVE as received on the same date.