CVE-2026-6957

HIGH

Path traversal in Mattermost Legal Hold plugin via unsanitized file name from federated peer allows arbitrary file write.

Title source: cna
STIX 2.1

Description

Mattermost Plugins versions <=1.1.5 fail to sanitize filenames received from federated peers before using them to construct export destination paths, which allows an administrator of a remote federated Mattermost server to write files to arbitrary locations within the target server's filestore via a malicious filename delivered through the shared-channel attachment sync protocol. Mattermost Advisory ID: MMSA-2026-00659

References (1)

Core 1
Core References
Vendor Advisory vendor-advisory
MMSA-2026-00659
https://mattermost.com/security-updates

Scores

CVSS v3 8.0
EPSS 0.0029
EPSS Percentile 20.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-22
Status published
Products (3)
mattermost/legal_hold < 1.1.5
Mattermost/Mattermost < 1.1.5
Mattermost/Mattermost .0
Published May 27, 2026
Tracked Since May 27, 2026