CVE-2026-4858

HIGH

Path traversal in integration action URL leading to arbitrary API execution via system admin’s auth token.

Title source: cna
STIX 2.1

Description

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to check integration URL for path traversal which allows an malicious authenticated user to call an arbitrary API via system admin Mattermost auth token using via path traversal in integration action URL.. Mattermost Advisory ID: MMSA-2026-00640

References (1)

Core 1
Core References
Vendor Advisory vendor-advisory
MMSA-2026-00640
https://mattermost.com/security-updates

Scores

CVSS v3 8.0
EPSS 0.0025
EPSS Percentile 16.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-22
Status published
Products (15)
Mattermost/Mattermost 10.11.0 - 10.11.14
Mattermost/Mattermost 10.11.15
Mattermost/Mattermost 11.4.0 - 11.4.4
Mattermost/Mattermost 11.4.5
Mattermost/Mattermost 11.5.0 - 11.5.3
Mattermost/Mattermost 11.5.4
Mattermost/Mattermost 11.6.0
Mattermost/Mattermost 11.6.1
Mattermost/Mattermost 11.7.0
mattermost/mattermost-server 10.11.0 - 10.11.15Go
... and 5 more
Published May 21, 2026
Tracked Since May 21, 2026