CVE-2026-13426

MEDIUM

Client4 fails to validate path parameters

Title source: cna
STIX 2.1

Description

The Mattermost Go module github.com/mattermost/mattermost/server/public versions < v0.1.22 fail to validate path parameters when constructing API route paths which allows an attacker to redirect API calls to unintended endpoints via crafted IDs containing path traversal components. Mattermost Advisory ID: MMSA-2025-00532

References (1)

Core 1
Core References
Vendor Advisory vendor-advisory
MMSA-2025-00532
https://mattermost.com/security-updates

Scores

CVSS v3 5.4
EPSS 0.0020
EPSS Percentile 9.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-22
Status published
Products (2)
Mattermost/github.com/mattermost/mattermost/server/public v0.0.0 - v0.1.22
Mattermost/github.com/mattermost/mattermost/server/public v0.1.22
Published Jun 26, 2026
Tracked Since Jun 26, 2026