CVE-2026-13426 | The Mattermost Go module github.com/mattermost/mattermost/se… | CVSS 5.4 MEDIUM

Description

The Mattermost Go module github.com/mattermost/mattermost/server/public versions < v0.1.22 fail to validate path parameters when constructing API route paths which allows an attacker to redirect API calls to unintended endpoints via crafted IDs containing path traversal components. Mattermost Advisory ID: MMSA-2025-00532

Metadata

CVE ID: CVE-2026-13426
State: PUBLISHED
Assigner: Mattermost
Reserved: 2026-06-26 13:32 UTC
Published: 2026-06-26 13:47 UTC
Last updated: 2026-06-26 14:39 UTC
Primary CWE: CWE-22
CWE-22: Improper Limitation of a Pathname to a Restricted Di…
Vendor / Product: Mattermost / github.com/mattermost/mattermost/server/public
Sources: cve.org · NVD

Severity & Metrics

5.4 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Mattermost	github.com/mattermost/mattermost/server/public	—	v0.0.0 < v0.1.22, v0.1.22

Weakness (CWE)

CWE	Source	Description
CWE-22	cna	CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSS scores (1)

Score	Severity	Version	Source	Vector
5.4	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

References (1)

MMSA-2025-00532 https://mattermost.com/security-updates