Description
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to check integration URL for path traversal which allows an malicious authenticated user to call an arbitrary API via system admin Mattermost auth token using via path traversal in integration action URL.. Mattermost Advisory ID: MMSA-2026-00640
Published: 2026-05-21
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mattermost versions 10.11.0 through 10.11.14, 11.4.0 through 11.4.4, 11.5.0 through 11.5.3, and 11.6.0 are vulnerable to a path traversal flaw in integration action URLs. An authenticated malicious user can use the traversal to reach an arbitrary API endpoint while carrying the system administrator’s authentication token. This allows the attacker to execute any API operation that the admin token permits, potentially modifying data, leaking information, or altering system configuration, thereby achieving remote code or privilege escalation.

Affected Systems

Versions 10.11.0‑10.11.14, 11.4.0‑11.4.4, 11.5.0‑11.5.3, and 11.6.0 of the Mattermost product are affected. No other vendors or products are listed.

Risk and Exploitability

The CVSS score of 8.0 reflects a high severity impact, and while EPSS data is not available, the vulnerability’s nature and the need for authenticated access suggest a realistic exploitation risk within organizations that provide user accounts with the ability to create integrations. The flaw is not listed in CISA’s KEV catalog. The likely attack path involves a legitimate user configuring an integration and supplying a malicious URL containing traversal characters to force the backend to contact a targeted API under the administrative token context.

Generated by OpenCVE AI on May 21, 2026 at 10:52 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.7.0, 11.6.1, 11.5.4, 11.4.5, 10.11.15 or higher.

OpenCVE Recommended Actions

  • Upgrade Mattermost to at least version 11.7.0, 11.6.1, 11.5.4, 11.4.5, 10.11.15 or newer.
  • After applying the patch, review existing integrations for malicious or suspicious URLs and remove or correct them.
  • Implement monitoring for integration activities to detect unusual API calls that could indicate an attempt to exploit the path traversal flaw.

Generated by OpenCVE AI on May 21, 2026 at 10:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Thu, 21 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost mattermost Server
CPEs cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
cpe:2.3:a:mattermost:mattermost_server:11.6.0:*:*:*:*:*:*:*
Vendors & Products Mattermost mattermost Server

Thu, 21 May 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 21 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Thu, 21 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to check integration URL for path traversal which allows an malicious authenticated user to call an arbitrary API via system admin Mattermost auth token using via path traversal in integration action URL.. Mattermost Advisory ID: MMSA-2026-00640
Title Path traversal in integration action URL leading to arbitrary API execution via system admin’s auth token.
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Mattermost Mattermost Mattermost Server
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-05-21T12:10:27.914Z

Reserved: 2026-03-25T15:58:42.714Z

Link: CVE-2026-4858

cve-icon Vulnrichment

Updated: 2026-05-21T12:10:21.368Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-21T09:16:30.143

Modified: 2026-05-21T19:43:31.373

Link: CVE-2026-4858

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T11:00:11Z

Weaknesses