CVE-2026-3112

MEDIUM

Arbitrary File Read via Advanced Logging Support Packet

Title source: cna

Description

Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to validate Advanced Logging file target paths which allows system administrators to read arbitrary host files via malicious AdvancedLoggingJSON configuration in support packet generation. Mattermost Advisory ID: MMSA-2025-00562

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

MMSA-2025-00562

https://mattermost.com/security-updates

Scores

CVSS v3 6.8

EPSS 0.0002

EPSS Percentile 5.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (12)

Mattermost/Mattermost 10.11.0 - 10.11.11

Mattermost/Mattermost 10.11.12

Mattermost/Mattermost 11.2.0 - 11.2.3

Mattermost/Mattermost 11.2.4

Mattermost/Mattermost 11.3.0 - 11.3.1

Mattermost/Mattermost 11.3.2

Mattermost/Mattermost 11.4.0

mattermost/mattermost 11.4.0-rc1 - 11.4.1Go

Mattermost/Mattermost 11.4.1

Mattermost/Mattermost 11.5.0

... and 2 more

Published Mar 26, 2026

Tracked Since Mar 26, 2026