HarborGuard / CVE
Back to search
HIGHCVE-2026-6957Published Modified CNA Mattermost

CVE-2026-6957: Path traversal in Mattermost Legal Hold plugin via unsanitized file name from federated peer allows arbitrary file write.

Mattermost Plugins versions <=1.1.5 fail to sanitize filenames received from federated peers before using them to construct export destination paths, which allows an administrator of a remote federated Mattermost server to write files to arbitrary locations within the target server's filestore via a malicious filename delivered through the shared-channel attachment sync protocol. Mattermost Advisory ID: MMSA-2026-00659

HarborGuard Analysis

HarborGuard analysis

Synopsis

A path traversal vulnerability in the Mattermost Legal Hold plugin (versions 1.1.5 and earlier) allows an administrator of a remote federated Mattermost server to write files to arbitrary locations within the target server's filestore. The attack is delivered over the network through the shared-channel attachment sync protocol and requires no interaction from a victim on the target server, though the attacker must control a remote federated server with admin credentials. Successful exploitation gives the attacker the ability to overwrite or plant arbitrary files anywhere the filestore is writable, with full confidentiality, integrity, and availability impact in the affected scope. A patched-image rebuild is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-6957 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle the Mattermost Legal Hold plugin at version 1.1.5 or earlier.

Available
Triage

HarborGuard scores this CVE at 8.0 HIGH using the published CVSS v3.1 vector and can weight that score against each customer environment's compliance policy to determine urgency and routing. Triage findings are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at the fix version becomes available on HarborGuard for any image identified as running an affected version of the Mattermost Legal Hold plugin. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against the affected workload automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the target Mattermost server over the network via the shared-channel attachment sync protocol exposed to federated peers.

  • AuthenticationRequired

    The attacker must hold administrator credentials on a remote federated Mattermost server; a standard low-privilege account is not sufficient.

  • Victim interactionNot required

    No action by any user on the target server is needed; the malicious filename is delivered passively through the sync protocol.

  • Attack complexityDetail

    Attack complexity is rated High, meaning the attacker depends on specific environmental conditions such as a live federation trust relationship being established between the attacker-controlled server and the target.

Blast Radius

  • The attacker writes arbitrary files to any path within the target server's filestore that the application process can reach, enabling overwrite of existing Legal Hold export archives or other stored files.
  • By planting files at chosen paths, the attacker can replace legitimate plugin assets or configuration files, corrupting the integrity of the server's stored data.
  • If the filestore is shared with other services or the attacker overwrites executable or configuration content, the availability of those dependent services is disrupted.
  • The attacker may read the contents of any file they can overwrite by replacing it with a known payload and retrieving it through the federation sync channel, exposing stored data including potentially sensitive Legal Hold records.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-6957 is active for all connected registries and pipelines the moment the CVE was published. For environments running Mattermost Legal Hold plugin at version 1.1.5 or earlier, a patched-image rebuild at the fix version is available. Where compliance policy permits auto-remediation, HarborGuard performs the rebuild, executes a regression run against the updated image, and opens a pull request against the affected workload; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not yet enabled, the rebuild is staged and waiting for manual approval. As an interim compensating control, consider applying network policy to restrict which external federated servers are permitted to reach the shared-channel sync endpoint, limiting the pool of potential attackers to only explicitly trusted federation peers.

See how HarborGuard automates this

Metrics

CVSS v3.1
8.0
Severity
HIGH
Fixed in
.0
Affected Products
1

Fix available

.0
Affected packages
  • Mattermost / Mattermost
    ≤ 1.1.5
    Fixed in .0
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
References