Severity by source
AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to check integration URL for path traversal which allows an malicious authenticated user to call an arbitrary API via system admin Mattermost auth token using via path traversal in integration action URL.. Mattermost Advisory ID: MMSA-2026-00640
AnalysisAI
Privilege escalation via path traversal in Mattermost collaboration platform allows authenticated users to invoke arbitrary internal APIs using the system administrator's auth token by manipulating integration action URLs. Affected branches include 11.6.x, 11.5.x, 11.4.x, and 10.11.x, with no public exploit identified at time of analysis. CVSS 8.0 reflects high impact across confidentiality, integrity, and availability despite high attack complexity and required user interaction.
Technical ContextAI
Mattermost is an open-source, self-hostable team messaging and collaboration platform widely deployed as a Slack alternative in enterprises and government environments. The flaw is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, i.e., Path Traversal): the integration action URL handler does not normalize or validate the path component of URLs supplied by integrations, so sequences such as '../' permit redirection of the request to arbitrary API endpoints. Because the server processes those redirected requests using the system administrator's stored auth token (used for executing integration actions), the traversal effectively launders a low-privileged user's request into a privileged internal API call. The CPE 'cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*' covers all Mattermost server editions in the listed version ranges.
RemediationAI
Patch available per vendor advisory MMSA-2026-00640 at https://mattermost.com/security-updates; administrators should upgrade to the next maintenance release on their branch above the listed vulnerable ceilings (11.6.x > 11.6.0, 11.5.x > 11.5.3, 11.4.x > 11.4.4, 10.11.x > 10.11.14) - consult the advisory for the exact fix versions, as released patched versions are not independently confirmed in the available data. Until patches are deployed, compensating controls include restricting who can create or modify integrations and slash commands via Mattermost system console permissions (trade-off: blocks legitimate integration development), auditing existing integrations for unexpected action URL patterns containing '../' or encoded traversal sequences, rotating the system admin auth token after upgrade, and placing the Mattermost API behind a reverse proxy that normalizes and rejects path-traversal sequences before they reach the integration handler (trade-off: may break legitimate redirect-style integrations).
More in Mattermost
View allDenial of service in linkify-it (npm) through v5.0.0 lets remote unauthenticated attackers wedge a rendering worker by s
A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large auto
Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded w
Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perf
Fleet is an open source osquery manager. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invit
Dex is a federated OpenID Connect provider written in Go. Rated critical severity (CVSS 9.6), this vulnerability is remo
Improper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers t
Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, wh
Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker posse
Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding gr
Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31242
GHSA-c4r7-j7pp-r8mp