CVE-2026-13426

Summary

The Mattermost Go module github.com/mattermost/mattermost/server/public versions < v0.1.22 fail to validate path parameters when constructing API route paths which allows an attacker to redirect API calls to unintended endpoints via crafted IDs containing path traversal components. Mattermost Advisory ID: MMSA-2025-00532

Affected Software

VendorProductVersion RangeStatus
Mattermostgithub.com/mattermost/mattermost/server/publicv0.0.0 < v0.1.22affected
Mattermostgithub.com/mattermost/mattermost/server/publicv0.1.22unaffected

Weaknesses

  • CWE-22: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References