PT-2026-42439 · Mattermost · Mattermost

Daw10

·

Published

2026-05-21

·

Updated

2026-06-25

·

CVE-2026-4858

CVSS v3.1

9.9

Critical

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Mattermost version 11.6.0 Mattermost version 11.5.3 Mattermost version 11.4.4 Mattermost version 10.11.14
Description An authenticated user can perform path traversal in the integration action URL. This occurs because the software fails to properly validate the integration URL, allowing the user to call an arbitrary API using the system admin Mattermost authentication token.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

DoS

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-09267
CVE-2026-4858
GHSA-C4R7-J7PP-R8MP
GO-2026-5311

Affected Products

Mattermost