HIGH 8.0
GHSA-c4r7-j7pp-r8mp
Mattermost has a Path Traversal issue
Details
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to check integration URL for path traversal which allows an malicious authenticated user to call an arbitrary API via system admin Mattermost auth token using via path traversal in integration action URL. Mattermost Advisory ID: MMSA-2026-00640.
Are you affected?
Enter the version of the package you're using.
Affected packages
Go / github.com/mattermost/mattermost-server
Introduced in:
11.6.0 Fixed in: 11.6.1 Fix
go get github.com/mattermost/mattermost-server@v11.6.1 Go / github.com/mattermost/mattermost-server
Introduced in:
11.5.0 Fixed in: 11.5.4 Fix
go get github.com/mattermost/mattermost-server@v11.5.4 Go / github.com/mattermost/mattermost-server
Introduced in:
11.4.0 Fixed in: 11.4.5 Fix
go get github.com/mattermost/mattermost-server@v11.4.5 Go / github.com/mattermost/mattermost-server
Introduced in:
10.11.0 Fixed in: 10.11.15 Fix
go get github.com/mattermost/mattermost-server@v10.11.15