CVE-2026-6961 - Vulnerability Details

- CVE-2026-6961: Path traversal via unsanitized FileInfo.Name in Mattermost federation sync

Description

Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Mattermost fails to sanitize FileInfo.Name received from federated peers during shared channel file sync, which allows an attacker who controls a federated server to write files to arbitrary locations within the target server's filestore via path traversal sequences in the filename field.. Mattermost Advisory ID: MMSA-2026-00661

Published: 2026-06-12

Score: 7.6 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Mattermost fails to sanitize the FileInfo.Name field received from federated peers during shared channel file sync. The flaw allows an attacker who controls a federated server to write files to arbitrary locations within the target server’s filestore via path traversal sequences in the filename. This can lead to overwriting critical configuration files or storing malicious binaries, thereby compromising the integrity of the system. The weakness is a classic path traversal flaw (CWE-22).

Affected Systems

The vulnerability affects Mattermost, versions 11.6.x up to 11.6.1, 11.5.x up to 11.5.4, 10.11.x up to 10.11.15, and 10.11.x up to 10.11.16. Any deployment of these versions that has federation enabled and accepts file sync from an external server is vulnerable.

Risk and Exploitability

The CVSS score of 7.6 indicates high severity. The EPSS score is not available, so the exploitation probability is currently unknown. The vulnerability is not listed in CISA’s KEV catalog. An attacker must control a federated peer and initiate a file sync; the likely attack vector is network‑based through the federation channel, allowing the attacker to write arbitrary files to the target server’s filestore.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mattermost

unaffected

Version	Status	Constraints
`11.6.0`	affected	≤ 11.6.1
`11.5.0`	affected	≤ 11.5.4
`10.11.0`	affected	≤ 10.11.15
`10.11.0`	affected	≤ 10.11.16
`11.7.0`	unaffected	—
`11.6.2`	unaffected	—
`11.5.5`	unaffected	—
`10.11.16`	unaffected	—
`10.11.17`	unaffected	—

No data.

Vendor Product Confidence Versions

Mattermost

100%

Version	Status	Scheme	Platform
`[11.6.0,11.6.1]`	affected	semver	—
`[11.5.0,11.5.4]`	affected	semver	—
`[10.11.0,10.11.15]`	affected	semver	—
`[10.11.0,10.11.16]`	affected	semver	—
`11.7.0`	unaffected	semver	—
`11.6.2`	unaffected	semver	—
`11.5.5`	unaffected	semver	—
`10.11.16`	unaffected	semver	—
`10.11.17`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Update Mattermost to versions 11.7.0, 11.6.2, 11.5.5, 10.11.16, 10.11.17 or higher.

OpenCVE Recommended Actions

Apply an official Mattermost update to v11.7.0, v11.6.2, v11.5.5, v10.11.16, or v10.11.17 or later.
If federation is not required, disable the federation feature or restrict it to trusted servers only.
Monitor federation logs for unexpected file sync activity and verify that only known peers are connected.

Generated by OpenCVE AI on June 12, 2026 at 19:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00039.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://mattermost.com/security-updates

History

Fri, 12 Jun 2026 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mattermost Mattermost mattermost
Vendors & Products		Mattermost Mattermost mattermost

Fri, 12 Jun 2026 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 12 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Mattermost fails to sanitize FileInfo.Name received from federated peers during shared channel file sync, which allows an attacker who controls a federated server to write files to arbitrary locations within the target server's filestore via path traversal sequences in the filename field.. Mattermost Advisory ID: MMSA-2026-00661
Title		CVE-2026-6961: Path traversal via unsanitized FileInfo.Name in Mattermost federation sync
Weaknesses		CWE-22
References		https://mattermost.com/security-updates
Metrics		cvssV3_1 `{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:L'}`

Subscriptions

Mattermost Mattermost

MITRE

Status: PUBLISHED

Assigner: Mattermost

Published: 2026-06-12T15:56:17.364Z

Updated: 2026-06-13T03:56:07.763Z

Reserved: 2026-04-24T15:22:26.743Z

Link: CVE-2026-6961

Vulnrichment

Updated: 2026-06-12T17:17:41.028Z

NVD

Status : Received

Published: 2026-06-12T17:16:27.410

Modified: 2026-06-12T17:16:27.410

Link: CVE-2026-6961

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-12T20:00:18Z

Weaknesses

CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object