CVE-2026-3471

Vulnerability

In Mattermost Desktop App versions <= 6.1, 6.0.1, and 5.4.13.0, the application does not prevent the loading of invalid URLs (e.g., javascript:alert()) in pop-up windows. This allows a malicious server owner to call window.open('javascript:alert()') and crash the app repeatedly [1].

Exploitation

An attacker who controls the Mattermost server can craft a message or trigger a server-side action that calls window.open() with a javascript: URI. The Desktop App launches a pop-up window with this URI, which causes a crash. The attacker does not need user interaction beyond the user being connected to the malicious server [1].

Impact

Successful exploitation results in a denial of service (DoS) — the Desktop App crashes repeatedly, rendering it unusable for the affected user. No data is disclosed or modified; the impact is limited to availability [1].

Mitigation

Mattermost has released security updates. Users should upgrade to the latest patched version of the Mattermost Desktop App as specified in the Mattermost security advisory (MMSA-2026-00618). For version-specific details, refer to [1]. No workaround is available if the app is not updated.