CVE-2026-4643

Vulnerability

The Mattermost Desktop App fails to prevent server-rendered content from invoking window.close() in the renderer context. This affects versions ≤6.1, 6.0.1, and 5.4.13.0 [1]. A malicious server or plugin can trigger this JavaScript function to close the underlying application view, leading to a client-side denial of service condition.

Exploitation

An attacker must operate a malicious Mattermost server or have the ability to inject a plugin that renders content to the desktop client. No user interaction beyond connecting to the compromised server is required; the window.close() call is executed automatically when the crafted content is rendered in the application window [1].

Impact

Successful exploitation causes the Mattermost Desktop App to crash or close abruptly, denying the user access to the client until it is manually restarted. The attack does not lead to data disclosure, modification, or remote code execution; it is limited to a local denial of service at the client level [1].

Mitigation

Mattermost recommends upgrading to a fixed version as detailed on their security updates page [1]. As of the publication date (2026-05-18), users should check for patched releases (e.g., versions beyond 6.1, 6.0.1, and 5.4.13.0). No workarounds are disclosed in the available references.