CVE 5.4 MEDIUM

Client4 fails to validate path parameters_CVE-2026-13426

June 26, 2026 invoker category_cve
5.4 / 10
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Description

The Mattermost Go module github.com/mattermost/mattermost/server/public versions < v0.1.22 fail to validate path parameters when constructing API route paths which allows an attacker to redirect API calls to unintended endpoints via crafted IDs containing path traversal components. Mattermost Advisory ID: MMSA-2025-00532

Basic Information

ID CVE-2026-13426
Source Mattermost
Published Jun 26, 2026 at 13:47

Affected Product

Vendor Mattermost
Product github.com/mattermost/mattermost/server/public
Version v0.0.0
Affected Versions Mattermost github.com/mattermost/mattermost/server/public v0.0.0

CWE Classification

CWE-22

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.