CVE-2026-4858
HIGHPath traversal in integration action URL leading to arbitrary API execution via system admin’s auth token.
Title source: cnaDescription
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to check integration URL for path traversal which allows an malicious authenticated user to call an arbitrary API via system admin Mattermost auth token using via path traversal in integration action URL.. Mattermost Advisory ID: MMSA-2026-00640
References (1)
Core 1
Core References
Scores
CVSS v3
8.0
EPSS
0.0025
EPSS Percentile
16.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-22
Status
published
Products (15)
Mattermost/Mattermost
10.11.0 - 10.11.14
Mattermost/Mattermost
10.11.15
Mattermost/Mattermost
11.4.0 - 11.4.4
Mattermost/Mattermost
11.4.5
Mattermost/Mattermost
11.5.0 - 11.5.3
Mattermost/Mattermost
11.5.4
Mattermost/Mattermost
11.6.0
Mattermost/Mattermost
11.6.1
Mattermost/Mattermost
11.7.0
mattermost/mattermost-server
10.11.0 - 10.11.15Go
... and 5 more
Published
May 21, 2026
Tracked Since
May 21, 2026