—

GO-2026-5092

Mattermost allows system administrators to read arbitrary host files via malicious AdvancedLoggingJSON configuration in github.com/mattermost/mattermost-server

Details

Mattermost allows system administrators to read arbitrary host files via malicious AdvancedLoggingJSON configuration in github.com/mattermost/mattermost-server

Are you affected?

Enter the version of the package you're using.

Affected packages

Go / github.com/mattermost/mattermost-server

Introduced in: 10.11.0-rc1+incompatible Fixed in: 10.11.12+incompatible

Fix go get github.com/mattermost/mattermost-server@v10.11.12+incompatible

Go / github.com/mattermost/mattermost-server/v5

Introduced in: 0

No fixed version published yet for github.com/mattermost/mattermost-server/v5 (go modules). Pin to a known-safe version or switch to an alternative.

Go / github.com/mattermost/mattermost-server/v6

Introduced in: 0

No fixed version published yet for github.com/mattermost/mattermost-server/v6 (go modules). Pin to a known-safe version or switch to an alternative.

Go / github.com/mattermost/mattermost/server/v8

Introduced in: 8.0.0-20260105080200-d27a2195068d Fixed in: 8.0.0-20260217110922-b7d4a1f1f59b

Fix go get github.com/mattermost/mattermost/server/v8@v8.0.0-20260217110922-b7d4a1f1f59b

References

https://github.com/advisories/GHSA-3mw5-466q-295q [ADVISORY]
https://nvd.nist.gov/vuln/detail/CVE-2026-3112 [ADVISORY]
https://mattermost.com/security-updates [WEB]