CVE-2026-4858 Mattermost CVE debrief

Who should care

Mattermost administrators, security teams, and platform owners running affected Mattermost versions, especially environments that use integrations or action URLs and rely on system admin authentication tokens.

Technical summary

The vulnerability is described as a failure to validate integration URLs against path traversal, allowing an authenticated attacker to manipulate an integration action URL and reach arbitrary API endpoints using a system admin Mattermost auth token. NVD lists CWE-22 and the CVSS 3.1 vector AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H. Affected versions listed in the source are 11.6.x through 11.6.0, 11.5.x through 11.5.3, 11.4.x through 11.4.4, and 10.11.x through 10.11.14.

Defensive priority

High. The combination of authenticated access, token abuse, and potential cross-scope impact makes this important to remediate promptly in any exposed Mattermost deployment.

Recommended defensive actions

• Upgrade Mattermost to a fixed version referenced by the vendor advisory for MMSA-2026-00640.
• Review and restrict who can create or modify integrations and action URLs.
• Audit system admin auth token usage and rotate tokens if there is any sign of abuse.
• Check logs for unusual integration action URL activity, especially requests containing traversal-like path segments.
• Verify affected deployments against the version ranges listed in the advisory and prioritize internet-facing or highly privileged instances.

Evidence notes

All claims here are limited to the supplied CVE/NVD record and the referenced Mattermost security-updates page. The CVE description states the affected Mattermost version ranges, the authenticated-user prerequisite, the path traversal flaw in integration action URL validation, and the ability to invoke arbitrary APIs with a system admin auth token. NVD adds CWE-22 and the CVSS 3.1 vector AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H. Published and modified dates are both 2026-05-21T09:16:30.143Z.

Official resources