CVE-2025-13326
📋 TL;DR
Mattermost Desktop App versions before 6.0.0 for macOS fail to enable Hardened Runtime when packaged for the Mac App Store, allowing attackers to bypass macOS security controls. This vulnerability affects macOS users running vulnerable Mattermost Desktop App versions from the Mac App Store. Attackers could potentially inherit TCC permissions by copying the binary to a temporary folder.
💻 Affected Systems
- Mattermost Desktop App
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker could gain unauthorized access to sensitive macOS permissions (like camera, microphone, or location) that the Mattermost app had previously been granted by the user.
Likely Case
Limited privilege escalation where an attacker could access some TCC-protected resources if they already have local access and can execute the copied binary.
If Mitigated
Minimal impact if proper macOS security controls and app sandboxing are enforced, as the attack requires local access and user interaction.
🎯 Exploit Status
Exploitation requires local access to the system and knowledge of macOS TCC bypass techniques. The attacker needs to copy the vulnerable binary to a temporary location.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.0.0
Vendor Advisory: https://mattermost.com/security-updates
Restart Required: Yes
Instructions:
1. Open the Mac App Store. 2. Go to Updates. 3. Find Mattermost Desktop App. 4. Click Update to version 6.0.0 or higher. 5. Restart the application after update completes.
🔧 Temporary Workarounds
Use direct download version
macosInstall Mattermost Desktop App directly from Mattermost website instead of Mac App Store
Restrict app permissions
macosReview and limit TCC permissions for Mattermost in System Settings > Privacy & Security
🧯 If You Can't Patch
- Monitor for suspicious binary copies to /tmp or other temporary directories
- Implement application allowlisting to prevent execution of unauthorized binaries
🔍 How to Verify
Check if Vulnerable:
Check Mattermost Desktop App version in About Mattermost. If version is below 6.0.0 and installed from Mac App Store, it is vulnerable.Check Version:
Open Mattermost Desktop App, go to Help > About MattermostVerify Fix Applied:
Verify version is 6.0.0 or higher in About Mattermost. Check that Hardened Runtime is enabled using 'codesign -dv --verbose=4 /Applications/Mattermost.app'📡 Detection & Monitoring
Log Indicators:
- Unauthorized copies of Mattermost binary to temporary directories
- Unexpected TCC permission requests from Mattermost
SIEM Query:
process.name:"Mattermost" AND file.path:"/tmp/*" OR file.path:"/var/tmp/*"