CVE Catalog

CVE-2026-13426

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Summary

The Mattermost Go module github.com/mattermost/mattermost/server/public versions < v0.1.22 fail to validate path parameters when constructing API route paths which allows an attacker to redirect API calls to unintended endpoints via crafted IDs containing path traversal components.

Risk Assessment

An attacker may gain access to unauthorized resources or perform operations on unintended API endpoints, potentially leading to data leakage or privilege escalation.

Recommendation

Immediately update the module github.com/mattermost/mattermost/server/public to version v0.1.22 or later.

Original NVD description (English source)

The Mattermost Go module github.com/mattermost/mattermost/server/public versions < v0.1.22 fail to validate path parameters when constructing API route paths which allows an attacker to redirect API calls to unintended endpoints via crafted IDs containing path traversal components. Mattermost Advisory ID: MMSA-2025-00532

Vulnerability data from NVD (NIST) · CISA KEV · EPSS