Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to check integration URL for path traversal which allows an malicious authenticated user to call an arbitrary API via system admin Mattermost auth token using via path traversal in integration action URL.. Mattermost Advisory ID: MMSA-2026-00640
Metrics
Affected Vendors & Products
| Vendors | Products |
|---|---|
| Mattermost |
|
No data.
No data.
OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.
| Vendors | Products |
|---|---|
| Mattermost |
|
References
| Link | Providers |
|---|---|
| https://mattermost.com/security-updates |
|
History
Thu, 21 May 2026 10:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Mattermost
Mattermost mattermost |
|
| Vendors & Products |
Mattermost
Mattermost mattermost |
Thu, 21 May 2026 09:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to check integration URL for path traversal which allows an malicious authenticated user to call an arbitrary API via system admin Mattermost auth token using via path traversal in integration action URL.. Mattermost Advisory ID: MMSA-2026-00640 | |
| Title | Path traversal in integration action URL leading to arbitrary API execution via system admin’s auth token. | |
| Weaknesses | CWE-22 | |
| References |
| |
| Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: Mattermost
Published:
Updated: 2026-05-21T08:12:11.176Z
Reserved: 2026-03-25T15:58:42.714Z
Link: CVE-2026-4858
Vulnrichment
No data.
NVD
Status : Received
Published: 2026-05-21T09:16:30.143
Modified: 2026-05-21T09:16:30.143
Link: CVE-2026-4858
Redhat
No data.
OpenCVE Enrichment
Updated: 2026-05-21T10:30:07Z