Skip to main content

Mattermost EUVD-2026-31242

| CVE-2026-4858 HIGH
Path Traversal (CWE-22)
2026-05-21 Mattermost GHSA-c4r7-j7pp-r8mp
Path Traversal Mattermost
8.0
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 21, 2026 - 09:30 vuln.today

DescriptionNVD

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to check integration URL for path traversal which allows an malicious authenticated user to call an arbitrary API via system admin Mattermost auth token using via path traversal in integration action URL.. Mattermost Advisory ID: MMSA-2026-00640

AnalysisAI

Privilege escalation via path traversal in Mattermost collaboration platform allows authenticated users to invoke arbitrary internal APIs using the system administrator's auth token by manipulating integration action URLs. Affected branches include 11.6.x, 11.5.x, 11.4.x, and 10.11.x, with no public exploit identified at time of analysis. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

24 hours: Inventory Mattermost instances for affected versions (11.6.x, 11.5.x, 11.4.x, 10.11.x) and document authenticated user base with integration access. 7 days: Restrict integration creation and modification privileges to trusted administrator accounts; implement monitoring and alerts for admin API invocations; subscribe to Mattermost security advisories for patch notification. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

EUVD-2026-31242 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy