HIGHCVE-2026-4858Published Modified CNA Mattermost
CVE-2026-4858: Path traversal in integration action URL leading to arbitrary API execution via system admin’s auth token.
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to check integration URL for path traversal which allows an malicious authenticated user to call an arbitrary API via system admin Mattermost auth token using via path traversal in integration action URL.. Mattermost Advisory ID: MMSA-2026-00640
Metrics
- CVSS v3.1
- 8.0
- Severity
- HIGH
- Fixed in
- 10.11.15
- Affected Products
- 1
Fix available
10.11.1511.4.511.5.411.6.111.7.0
Affected packages
- Mattermost / Mattermost≤ 11.6.0 · ≤ 11.5.3 · ≤ 11.4.4 · ≤ 10.11.14Fixed in 11.7.0, 11.6.1, 11.5.4, 11.4.5, 10.11.15
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:HReferences