PT-2026-52708 · Mattermost · Github.Com/Mattermost/Mattermost-Server

Juho Forsén

Published

2026-06-26

Updated

2026-06-26

CVE-2026-13426

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

The Mattermost Go module github.com/mattermost/mattermost/server/public versions < v0.1.22 fail to validate path parameters when constructing API route paths which allows an attacker to redirect API calls to unintended endpoints via crafted IDs containing path traversal components. Mattermost Advisory ID: MMSA-2025-00532

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2026-13426

Affected Products

Github.Com/Mattermost/Mattermost-Server

PT-2026-52708 · Mattermost · Github.Com/Mattermost/Mattermost-Server

CVE-2026-13426

Weakness Enumeration

Related Identifiers

Affected Products

References · 2