Path Traversal Vulnerability in Mattermost by Mattermost Inc.
CVE-2026-4858

8HIGH

Key Information:

Vendor: Mattermost
Status: Mattermost
Vendor: CVE Published:; 21 May 2026

What is CVE-2026-4858?

Mattermost versions up to 11.6.0, 11.5.3, 11.4.4, and 10.11.14 exhibit a path traversal vulnerability due to insufficient validation of integration URLs. This flaw enables a malicious authenticated user, possessing a system admin Mattermost auth token, to exploit arbitrary API calls, potentially leading to unauthorized access and data exposure. To mitigate this issue, users are advised to update to the latest versions and review integration URL practices as outlined in the advisory.

Affected Version(s)

Mattermost 11.6.0

Mattermost 11.5.0 <= 11.5.3

Mattermost 11.4.0 <= 11.4.4

References

https://mattermost.com/security-updates

vendor-advisory

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 21, 2026
Vulnerability Reserved
Mar 25, 2026

Credit

daw10

CVE-2026-4858 Data

JSON