PatchSiren cyber security CVE debrief
CVE-2026-6957 Mattermost CVE debrief
A path traversal vulnerability in Mattermost Plugins versions 1.1.5 and earlier allows remote administrators of federated Mattermost servers to write files to arbitrary locations within a target server's filestore. The vulnerability exists because filenames received from federated peers are not sanitized before being used to construct export destination paths during shared-channel attachment synchronization. An attacker with administrative privileges on a remote federated server can exploit this by delivering malicious filenames through the shared-channel attachment sync protocol, potentially achieving remote code execution or data exfiltration depending on filestore permissions and configuration. The CVSS 3.1 vector indicates network attack vector, high attack complexity, high privileges required, no user interaction, changed scope, and high impacts to confidentiality, integrity, and availability. This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
- Vendor
- Mattermost
- Product
- Unknown
- CVSS
- HIGH 8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations operating Mattermost servers with shared-channel federation enabled, particularly those federating with external or less-trusted administrative domains. Security teams responsible for collaboration platform security, incident responders investigating potential filestore compromises, and administrators managing multi-tenant or federated Mattermost deployments.
Technical summary
The vulnerability stems from insufficient input validation in the shared-channel attachment synchronization protocol. When a federated peer server transmits a filename for attachment export, the receiving Mattermost instance uses this filename directly in path construction without sanitizing directory traversal sequences (e.g., ../). An attacker controlling a federated peer can craft filenames containing path traversal components to escape the intended attachment directory and write files to arbitrary locations within the filestore. The attack requires high privileges (administrator on federated server) and high attack complexity due to federation prerequisites, but successful exploitation yields high impact across confidentiality, integrity, and availability with changed scope indicating potential impact beyond the vulnerable component.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Mattermost Plugins to a version later than 1.1.5 as soon as security updates are available from Mattermost
- Review and audit shared-channel federation configurations, particularly with untrusted or less-trusted partner organizations
- Implement network segmentation to restrict federation connections to trusted administrative domains only
- Monitor filestore access logs for anomalous file writes outside expected attachment directories
- Apply principle of least privilege to filestore permissions, ensuring the Mattermost process cannot write to sensitive system directories
- Review Mattermost security advisory MMSA-2026-00659 for vendor-specific remediation guidance
Evidence notes
Official CVE record published 2026-05-27. Mattermost advisory ID MMSA-2026-00659 referenced in description. CVSS 3.1 score 8.0 (HIGH) with vector AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H. CWE-22 (Path Traversal) identified in NVD weakness data.
Official resources
-
CVE-2026-6957 CVE record
CVE.org
-
CVE-2026-6957 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-27