Path Traversal Vulnerability in Mattermost by Mattermost
CVE-2026-6961

7.6HIGH

Key Information:

Vendor

Mattermost

Vendor
CVE Published:
12 June 2026

What is CVE-2026-6961?

Mattermost suffers from a path traversal vulnerability that allows an attacker controlling a federated server to exploit inadequate sanitization of the FileInfo.Name parameter. During shared channel file synchronization, users may be at risk as malicious filenames can be manipulated to write files into arbitrary locations within the target server's filestore. This flaw potentially jeopardizes file integrity and server security.

Affected Version(s)

Mattermost 11.6.0 <= 11.6.1

Mattermost 11.5.0 <= 11.5.4

Mattermost 10.11.0 <= 10.11.15

References

CVSS V3.1

Score:
7.6
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Hassan Mohammed
.