The vulnerability arises when Mattermost Plugins versions up to 1.1.5 accept filenames from federated Mattermost peers without sanitizing them before using those names to build export paths. This omission permits an attacker who can act as an administrator on a remote federated server to supply a crafted filename that traverses directories and writes a file to any location within the target server’s filestore. The result is a classic path‑traversal flaw described by CWE‑22, potentially leading to unauthorized file creation, modification, or deletion, and could be leveraged to place malicious code on the server, impacting confidentiality, integrity, and availability of data.

This flaw affects Mattermost plugin deployments that are version 1.1.5 or older. Administrators of Mattermost installations should verify whether the Legal Hold plugin or related federated attachment sync functionality is present and, if so, confirm the exact plugin version in use. The vulnerability is specific to Mattermost’s handling of filenames received through the shared‑channel attachment sync protocol.

The CVSS score of 8 indicates a high severity level, emphasizing the potential damage if exploited. EPSS is not available, so there is no quantified probability of exploitation recorded at this time. The vulnerability is not listed in CISA’s KEV catalog. Clearly, the attack vector is remote: a federated server administrator can send a malicious payload, implying that only trusted federation partners pose a risk. If such an attacker is present, the path‑traversal flaw makes it straightforward to write files to arbitrary paths, suggesting a high exploitability when the necessary conditions are satisfied.