Mattermost Path Traversal Allows API Calls with Admin Token
The National Vulnerability Database has disclosed CVE-2026-4858, a high-severity path traversal vulnerability in Mattermost versions 11.6.0, 11.5.3, 11.4.4, and 10.11.14 and earlier. The flaw stems from Mattermost’s failure to adequately validate integration URLs, allowing an authenticated, malicious user to leverage path traversal in an integration action URL.
This vulnerability permits the attacker to call arbitrary APIs using a system administrator’s Mattermost authentication token. Essentially, a low-privileged user could escalate their access significantly, effectively gaining control over sensitive administrative functions within the Mattermost instance. The CVSS score of 8.0 (High) reflects the significant impact on confidentiality, integrity, and availability if exploited.
For defenders, this means a critical review of Mattermost instances is in order. Attackers will always look for these types of logical flaws that turn a minor privilege into a major compromise. The ability to invoke arbitrary APIs with an admin token is a direct path to full system control, data exfiltration, or further lateral movement.
What This Means For You
- If your organization uses Mattermost, you need to identify all instances running affected versions (11.6.0, 11.5.3, 11.4.4, and 10.11.14 and earlier) and prioritize patching immediately. This isn't a theoretical risk; it's a direct path for an authenticated user to abuse administrative privileges. Audit your Mattermost integration configurations for any suspicious URLs or activities post-patch.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-4858: Mattermost Path Traversal to Arbitrary API Call
title: CVE-2026-4858: Mattermost Path Traversal to Arbitrary API Call
id: scw-2026-05-21-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2026-4858 by identifying requests to Mattermost's integration API that contain path traversal sequences ('../'). This allows an authenticated user to call arbitrary APIs using an admin token.
author: SCW Feed Engine (AI-generated)
date: 2026-05-21
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-4858/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/api/v4/integrations/'
cs-uri|contains:
- '../'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-4858 | Path Traversal | Mattermost versions 11.6.x <= 11.6.0 |
| CVE-2026-4858 | Path Traversal | Mattermost versions 11.5.x <= 11.5.3 |
| CVE-2026-4858 | Path Traversal | Mattermost versions 11.4.x <= 11.4.4 |
| CVE-2026-4858 | Path Traversal | Mattermost versions 10.11.x <= 10.11.14 |
| CVE-2026-4858 | Auth Bypass | Vulnerable component: integration action URL allowing arbitrary API calls via system admin Mattermost auth token |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 21, 2026 at 12:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-42396 — Insufficient Validation of Member Zone Data May Cause
CVE-2026-42396 — Insufficient Validation of Member Zone Data May Cause Catalog Zone Transfer to Fail
CVE-2026-42002 — Concurrency and locking defects in
CVE-2026-42002 — Concurrency and locking defects in GSS-TSIG
CVE-2026-42001: Autoprimary SOA Queries Vulnerability
CVE-2026-42001 — Insufficient Validation of Autoprimary SOA Queries