How is CVE-2026-6961 exploited?

Network reachability (required): The attacker must reach the target Mattermost server over the network, as the federation sync endpoint is exposed as a network service. Authentication (required): The attacker must control a server that holds a high-privilege federated peer relationship with the target; any lower-privilege account is insufficient. Victim interaction (not-required): No user action on the target server is needed; the malicious filename is submitted directly by the attacker-controlled federated peer. Attack complexity (info): Exploitation is reliable and condition-free once a federated peer relationship exists; no race conditions or special memory layout are required.

What is the impact of CVE-2026-6961?

Attacker writes arbitrary files to any path the Mattermost filestore process can reach, including overwriting existing configuration or plugin files. Placing attacker-controlled files in executable or configuration paths can set up further compromise of the Mattermost server process. Overwriting or corrupting filestore content disrupts file availability for users, consistent with the low availability impact in the CVSS score. No direct confidentiality exposure is indicated; the primary risk is unauthorized modification of stored data and server files.

Back to search

HIGHCVE-2026-6961Published 2026-06-12Modified 2026-06-16CNA Mattermost

CVE-2026-6961: CVE-2026-6961: Path traversal via unsanitized FileInfo.Name in Mattermost federation sync

Q: What is CVE-2026-6961?

A path traversal vulnerability in Mattermost's shared channel federation sync allows an attacker who controls a federated server to write files to arbitrary locations in the target server's filestore. The flaw is reachable over the network and requires a high-privilege (admin-level) federation peer relationship, with no victim interaction needed. Successful exploitation lets an attacker overwrite or plant files anywhere the Mattermost filestore process can write, with high integrity impact and limited availability disruption. Patched-image rebuilds at versions 10.11.16, 10.11.17, 11.5.5, 11.6.2, and 11.7.0 are available on HarborGuard for environments running an affected version.

Q: How is CVE-2026-6961 fixed?

A patched-image rebuild at the fix versions (10.11.16, 10.11.17, 11.5.5, 11.6.2, or 11.7.0) becomes available through HarborGuard for any environment whose scanned images include an affected Mattermost version. For customers who opt into auto-remediation, HarborGuard can execute the rebuild, run regression tests, and open a pull request against affected workloads automatically.

Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Mattermost fails to sanitize FileInfo.Name received from federated peers during shared channel file sync, which allows an attacker who controls a federated server to write files to arbitrary locations within the target server's filestore via path traversal sequences in the filename field.. Mattermost Advisory ID: MMSA-2026-00661

CVSS v3.1: 7.6
Severity: HIGH
Fixed in: 10.11.16
Affected Products: 1

HarborGuard Analysis

Synopsis

A path traversal vulnerability in Mattermost's shared channel federation sync allows an attacker who controls a federated server to write files to arbitrary locations in the target server's filestore. The flaw is reachable over the network and requires a high-privilege (admin-level) federation peer relationship, with no victim interaction needed. Successful exploitation lets an attacker overwrite or plant files anywhere the Mattermost filestore process can write, with high integrity impact and limited availability disruption. Patched-image rebuilds at versions 10.11.16, 10.11.17, 11.5.5, 11.6.2, and 11.7.0 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-6961 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including the Mattermost advisory channel. This matching capability covers both pulled public images and custom-built images in customer registries and CI pipelines.

Available

Triage

HarborGuard is capable of scoring this CVE at 7.6 HIGH using the CVSS v3.1 vector, surfacing it with appropriate severity weighting against each customer's compliance policy. Findings are routable to the security or platform team inbox configured within each customer organization.

Available

Patch

A patched-image rebuild at the fix versions (10.11.16, 10.11.17, 11.5.5, 11.6.2, or 11.7.0) becomes available through HarborGuard for any environment whose scanned images include an affected Mattermost version. For customers who opt into auto-remediation, HarborGuard can execute the rebuild, run regression tests, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the target Mattermost server over the network, as the federation sync endpoint is exposed as a network service.
AuthenticationRequired
The attacker must control a server that holds a high-privilege federated peer relationship with the target; any lower-privilege account is insufficient.
Victim interactionNot required
No user action on the target server is needed; the malicious filename is submitted directly by the attacker-controlled federated peer.
Attack complexityDetail
Exploitation is reliable and condition-free once a federated peer relationship exists; no race conditions or special memory layout are required.

Blast Radius

Attacker writes arbitrary files to any path the Mattermost filestore process can reach, including overwriting existing configuration or plugin files.
Placing attacker-controlled files in executable or configuration paths can set up further compromise of the Mattermost server process.
Overwriting or corrupting filestore content disrupts file availability for users, consistent with the low availability impact in the CVSS score.
No direct confidentiality exposure is indicated; the primary risk is unauthorized modification of stored data and server files.

How HarborGuard Handles This

Available on HarborGuard: images containing affected Mattermost versions (10.11.x through 10.11.15 or 10.11.16, 11.5.x through 11.5.4, and 11.6.x through 11.6.1) are matched against this CVE during every scan cycle. Rebuilt images at the fixed versions are available for environments where the affected image is identified. For customers who opt into auto-remediation, HarborGuard initiates the rebuild, runs the configured regression suite, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR in auto-remediation environments is around 90 minutes. Where compliance policy does not permit auto-remediation, the finding is surfaced in the customer's configured triage inbox with full CVSS context and fix-version details for manual action. Until an upgrade is applied, compensating controls worth considering include restricting which external servers are permitted to establish federation peer relationships and applying network policy to limit the federation sync endpoint to known trusted peer addresses.

See how HarborGuard automates this

Fix available

10.11.1610.11.1711.5.511.6.211.7.0

Affected packages

Mattermost / Mattermost
≤ 11.6.1 · ≤ 11.5.4 · ≤ 10.11.15 · ≤ 10.11.16
Fixed in 11.7.0, 11.6.2, 11.5.5, 10.11.16, 10.11.17

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:L

References

MMSA-2026-00661

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available