Skip to main content

Mattermost CVE-2026-6961

| EUVDEUVD-2026-36504 HIGH
Path Traversal (CWE-22)
2026-06-12 Mattermost GHSA-8qq9-cqj8-82w4
7.6
CVSS 3.1 · Vendor: Mattermost
Share

Severity by source

Vendor (Mattermost) PRIMARY
7.6 HIGH
AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:L
vuln.today AI
7.6 HIGH

Network-reachable file sync (AV:N/AC:L); requires administrative control of a federated peer (PR:H); arbitrary file write crosses the filestore trust boundary (S:C) yielding high integrity and low availability impact with no direct confidentiality loss.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:L/SC:N/SI:L/SA:N

Primary rating from Vendor (Mattermost).

CVSS VectorVendor: Mattermost

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 12, 2026 - 17:31 vuln.today

DescriptionCVE.org

Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Mattermost fails to sanitize FileInfo.Name received from federated peers during shared channel file sync, which allows an attacker who controls a federated server to write files to arbitrary locations within the target server's filestore via path traversal sequences in the filename field.. Mattermost Advisory ID: MMSA-2026-00661

AnalysisAI

Arbitrary file write in Mattermost via path traversal affects versions 11.6.x ≤ 11.6.1, 11.5.x ≤ 11.5.4, and 10.11.x ≤ 10.11.15/10.11.16 when shared channels with federated peers are in use. An attacker who controls a federated Mattermost server can supply crafted FileInfo.Name values during file sync to write files to arbitrary locations in the target server's filestore. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Control federated peer server
Delivery
Establish shared channel sync with victim
Exploit
Send FileInfo with traversal in Name
Execution
Victim writes file outside filestore
Persist
Overwrite binary or config
Impact
Achieve code execution or tampering

Vulnerability AssessmentAI

Exploitation The target Mattermost server must have the shared channels feature enabled and be federated with at least one peer Mattermost server controlled by the attacker; exploitation occurs over the normal shared-channel file sync protocol with no user interaction on the victim side. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:L yields 7.6 (High), reflecting that exploitation is network-reachable and low-complexity but requires high privileges - specifically, control over a peer server already federated with the victim. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who operates (or compromises) a Mattermost server that has been federated as a shared-channel peer with the victim uploads a file whose FileInfo.Name contains '../' traversal sequences. When the victim server processes the sync message it writes the attacker-supplied content to a path outside the filestore - for example overwriting a plugin binary, configuration file, or web-accessible asset - which can then be leveraged for code execution or persistence. …
Remediation Patch available per vendor advisory MMSA-2026-00661 (https://mattermost.com/security-updates) - upgrade to a fixed release above 11.6.1, 11.5.4, or 10.11.16 as listed by Mattermost; exact fix versions should be confirmed against that advisory before deployment. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all Mattermost instances running affected versions (10.11.x ≤ 10.11.16, 11.5.x ≤ 11.5.4, 11.6.x ≤ 11.6.1) and audit federated peer configurations. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-9354 MEDIUM POC
5.5 May 24

Improper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers t

CVE-2026-7387 HIGH
8.8 Jun 12

Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding gr

CVE-2026-3524 HIGH
8.8 Apr 06

Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal

CVE-2026-6346 HIGH
8.7 May 18

Mattermost versions up to 11.5.1 expose sensitive credentials in plaintext within support packets due to insufficient sa

CVE-2026-6957 HIGH
8.0 May 27

Arbitrary file write in Mattermost Plugins (versions ≤1.1.5) lets an administrator of a remote, federated Mattermost ser

CVE-2026-3108 HIGH
8.0 Mar 26

Mattermost's mmctl command-line administration tool fails to sanitize ANSI and OSC escape sequences embedded in user-gen

CVE-2026-4858 HIGH
8.0 May 21

Privilege escalation via path traversal in Mattermost collaboration platform allows authenticated users to invoke arbitr

CVE-2026-6517 HIGH
7.7 Jun 15

Credential leakage in Mattermost Desktop App versions up to 6.1 and 5.5.13.0 allows authenticated server users to harves

CVE-2026-6347 HIGH
7.6 May 18

Information disclosure in Mattermost Calls plugin versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 expos

CVE-2026-24458 HIGH
7.5 Mar 16

Mattermost 10.11.x through 11.3.x fails to validate password length, allowing unauthenticated attackers to trigger denia

CVE-2026-5740 HIGH
7.5 May 22

Denial of service in Mattermost server (versions 11.6.0, 11.5.0-11.5.3, 11.4.0-11.4.4, and 10.11.0-10.11.14) allows remo

CVE-2026-6739 HIGH
7.2 Jun 12

Privilege escalation in Mattermost collaboration platform allows authenticated users holding delegated user-management p

Share

CVE-2026-6961 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy