Skip to main content

Mattermost CVE-2026-4858

| EUVDEUVD-2026-31242 HIGH
Path Traversal (CWE-22)
2026-05-21 Mattermost GHSA-c4r7-j7pp-r8mp
8.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.0 HIGH
AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 21, 2026 - 09:30 vuln.today

DescriptionCVE.org

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to check integration URL for path traversal which allows an malicious authenticated user to call an arbitrary API via system admin Mattermost auth token using via path traversal in integration action URL.. Mattermost Advisory ID: MMSA-2026-00640

AnalysisAI

Privilege escalation via path traversal in Mattermost collaboration platform allows authenticated users to invoke arbitrary internal APIs using the system administrator's auth token by manipulating integration action URLs. Affected branches include 11.6.x, 11.5.x, 11.4.x, and 10.11.x, with no public exploit identified at time of analysis. CVSS 8.0 reflects high impact across confidentiality, integrity, and availability despite high attack complexity and required user interaction.

Technical ContextAI

Mattermost is an open-source, self-hostable team messaging and collaboration platform widely deployed as a Slack alternative in enterprises and government environments. The flaw is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, i.e., Path Traversal): the integration action URL handler does not normalize or validate the path component of URLs supplied by integrations, so sequences such as '../' permit redirection of the request to arbitrary API endpoints. Because the server processes those redirected requests using the system administrator's stored auth token (used for executing integration actions), the traversal effectively launders a low-privileged user's request into a privileged internal API call. The CPE 'cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*' covers all Mattermost server editions in the listed version ranges.

RemediationAI

Patch available per vendor advisory MMSA-2026-00640 at https://mattermost.com/security-updates; administrators should upgrade to the next maintenance release on their branch above the listed vulnerable ceilings (11.6.x > 11.6.0, 11.5.x > 11.5.3, 11.4.x > 11.4.4, 10.11.x > 10.11.14) - consult the advisory for the exact fix versions, as released patched versions are not independently confirmed in the available data. Until patches are deployed, compensating controls include restricting who can create or modify integrations and slash commands via Mattermost system console permissions (trade-off: blocks legitimate integration development), auditing existing integrations for unexpected action URL patterns containing '../' or encoded traversal sequences, rotating the system admin auth token after upgrade, and placing the Mattermost API behind a reverse proxy that normalizes and rejects path-traversal sequences before they reach the integration handler (trade-off: may break legitimate redirect-style integrations).

CVE-2026-48801 HIGH POC
8.7 Jun 26

Denial of service in linkify-it (npm) through v5.0.0 lets remote unauthenticated attackers wedge a rendering worker by s

CVE-2022-4044 MEDIUM POC
6.5 Nov 23

A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large auto

CVE-2022-3257 MEDIUM POC
6.5 Sep 23

Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded w

CVE-2023-6458 CRITICAL
9.8 Dec 06

Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perf

CVE-2020-26276 CRITICAL
9.8 Dec 17

Fleet is an open source osquery manager. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2024-39777 CRITICAL
9.6 Aug 01

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invit

CVE-2020-26290 CRITICAL
9.6 Dec 28

Dex is a federated OpenID Connect provider written in Go. Rated critical severity (CVSS 9.6), this vulnerability is remo

CVE-2026-9354 MEDIUM POC
5.5 May 24

Improper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers t

CVE-2022-1002 MEDIUM POC
5.4 Mar 18

Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, wh

CVE-2023-2193 CRITICAL
9.1 Apr 20

Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker posse

CVE-2026-7387 HIGH
8.8 Jun 12

Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding gr

CVE-2026-3524 HIGH
8.8 Apr 06

Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal

Share

CVE-2026-4858 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy