Description
The Mattermost Go module github.com/mattermost/mattermost/server/public versions < v0.1.22 fail to validate path parameters when constructing API route paths which allows an attacker to redirect API calls to unintended endpoints via crafted IDs containing path traversal components. Mattermost Advisory ID: MMSA-2025-00532
Published: 2026-06-26
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the Mattermost Go module github.com/mattermost/mattermost/server/public, where insufficient validation of path parameters used when building API route paths allows an attacker to craft identifiers containing path‑traversal components and redirect API calls to unintended endpoints. This could enable the attacker to access, invoke, or manipulate data at unauthorized routes, potentially bypassing intended access controls. The flaw is categorized as CWE‑22, Path Traversal.

Affected Systems

Versions of the Mattermost Go module github.com/mattermost/mattermost/server/public earlier than v0.1.22 are impacted. This includes deployments of the Mattermost server that still use a pre‑0.1.22 module version.

Risk and Exploitability

The severity is moderate with a CVSS score of 5.4 and the EPSS score is not available. The vulnerability is not listed in CISA’s KEV catalog. An attacker who can send crafted API requests to the affected server can exploit the flaw by embedding path traversal strings such as "/../" in the identifier portion of the URL, causing the request routing layer to resolve to a different, unintended endpoint. Because the flaw requires no special privileges beyond the ability to issue API calls, the attack vector is likely remote and the exploitation conditions are simple, but the impact is limited to unintended API access rather than arbitrary code execution.

Generated by OpenCVE AI on June 26, 2026 at 15:35 UTC.

Remediation

Vendor Solution

Update the github.com/mattermost/mattermost/server/public module to v0.1.22 or higher.

OpenCVE Recommended Actions

  • Upgrade the github.com/mattermost/mattermost/server/public Go module to version 0.1.22 or later to apply the vendor fix.
  • Rebuild and redeploy the Mattermost server with the updated module so the change takes effect.
  • If a Web Application Firewall or API gateway is in use, configure it to reject or flag requests whose id parameters contain path‑traversal characters such as "/.." to provide an additional defense layer.

Generated by OpenCVE AI on June 26, 2026 at 15:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon
History

Fri, 26 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description The Mattermost Go module github.com/mattermost/mattermost/server/public versions < v0.1.22 fail to validate path parameters when constructing API route paths which allows an attacker to redirect API calls to unintended endpoints via crafted IDs containing path traversal components. Mattermost Advisory ID: MMSA-2025-00532
Title Client4 fails to validate path parameters
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-06-26T14:39:00.126Z

Reserved: 2026-06-26T13:32:10.276Z

Link: CVE-2026-13426

cve-icon Vulnrichment

Updated: 2026-06-26T14:38:56.725Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T15:45:02Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')