CVE-2026-13426
Client4 fails to validate path parameters
CVSS Score
5.4
EPSS Score
0.0%
EPSS Percentile
0th
The Mattermost Go module github.com/mattermost/mattermost/server/public versions < v0.1.22 fail to validate path parameters when constructing API route paths which allows an attacker to redirect API calls to unintended endpoints via crafted IDs containing path traversal components. Mattermost Advisory ID: MMSA-2025-00532
| CWE | CWE-22 |
| Vendor | mattermost |
| Product | github.com/mattermost/mattermost/server/public |
| Published | Jun 26, 2026 |
| Last Updated | Jun 26, 2026 |
Stay Ahead of the Next One
Get instant alerts for mattermost github.com/mattermost/mattermost/server/public
Be the first to know when new medium vulnerabilities affecting mattermost github.com/mattermost/mattermost/server/public are published β delivered to Slack, Telegram or Discord.
Get Free Alerts β
Free Β· No credit card Β· 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Affected Versions
Mattermost / github.com/mattermost/mattermost/server/public
v0.0.0 < v0.1.22
References
Credits
Juho ForsΓ©n