Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:L
Network-reachable file sync (AV:N/AC:L); requires administrative control of a federated peer (PR:H); arbitrary file write crosses the filestore trust boundary (S:C) yielding high integrity and low availability impact with no direct confidentiality loss.
Primary rating from Vendor (Mattermost).
CVSS VectorVendor: Mattermost
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:L
Lifecycle Timeline
1DescriptionCVE.org
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Mattermost fails to sanitize FileInfo.Name received from federated peers during shared channel file sync, which allows an attacker who controls a federated server to write files to arbitrary locations within the target server's filestore via path traversal sequences in the filename field.. Mattermost Advisory ID: MMSA-2026-00661
AnalysisAI
Arbitrary file write in Mattermost via path traversal affects versions 11.6.x ≤ 11.6.1, 11.5.x ≤ 11.5.4, and 10.11.x ≤ 10.11.15/10.11.16 when shared channels with federated peers are in use. An attacker who controls a federated Mattermost server can supply crafted FileInfo.Name values during file sync to write files to arbitrary locations in the target server's filestore. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target Mattermost server must have the shared channels feature enabled and be federated with at least one peer Mattermost server controlled by the attacker; exploitation occurs over the normal shared-channel file sync protocol with no user interaction on the victim side. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:L yields 7.6 (High), reflecting that exploitation is network-reachable and low-complexity but requires high privileges - specifically, control over a peer server already federated with the victim. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who operates (or compromises) a Mattermost server that has been federated as a shared-channel peer with the victim uploads a file whose FileInfo.Name contains '../' traversal sequences. When the victim server processes the sync message it writes the attacker-supplied content to a path outside the filestore - for example overwriting a plugin binary, configuration file, or web-accessible asset - which can then be leveraged for code execution or persistence. … |
| Remediation | Patch available per vendor advisory MMSA-2026-00661 (https://mattermost.com/security-updates) - upgrade to a fixed release above 11.6.1, 11.5.4, or 10.11.16 as listed by Mattermost; exact fix versions should be confirmed against that advisory before deployment. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify all Mattermost instances running affected versions (10.11.x ≤ 10.11.16, 11.5.x ≤ 11.5.4, 11.6.x ≤ 11.6.1) and audit federated peer configurations. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Mattermost
View allImproper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers t
Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding gr
Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal
Mattermost versions up to 11.5.1 expose sensitive credentials in plaintext within support packets due to insufficient sa
Arbitrary file write in Mattermost Plugins (versions ≤1.1.5) lets an administrator of a remote, federated Mattermost ser
Mattermost's mmctl command-line administration tool fails to sanitize ANSI and OSC escape sequences embedded in user-gen
Privilege escalation via path traversal in Mattermost collaboration platform allows authenticated users to invoke arbitr
Credential leakage in Mattermost Desktop App versions up to 6.1 and 5.5.13.0 allows authenticated server users to harves
Information disclosure in Mattermost Calls plugin versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 expos
Mattermost 10.11.x through 11.3.x fails to validate password length, allowing unauthenticated attackers to trigger denia
Denial of service in Mattermost server (versions 11.6.0, 11.5.0-11.5.3, 11.4.0-11.4.4, and 10.11.0-10.11.14) allows remo
Privilege escalation in Mattermost collaboration platform allows authenticated users holding delegated user-management p
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36504
GHSA-8qq9-cqj8-82w4