PatchSiren cyber security CVE debrief

CVE-2026-6961 Mattermost CVE debrief

CVE-2026-6961 is a HIGH severity vulnerability with a CVSS score of 7.6. Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, and 10.11.x <= 10.11.16 are affected. The vulnerability is caused by Mattermost's failure to sanitize FileInfo.Name received from federated peers during shared channel file sync. This allows an attacker controlling a federated server to write files to arbitrary locations within the target server's filestore via path traversal sequences in the filename field. The Mattermost Advisory ID for this issue is MMSA-2026-00661.

Vendor: Mattermost
Product: Unknown
CVSS: HIGH 7.6
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-12
Original CVE updated: 2026-06-12
Advisory published: 2026-06-12
Advisory updated: 2026-06-12

Who should care

Users of Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, and 10.11.x <= 10.11.16 should apply patches or mitigations.

Technical summary

The vulnerability is caused by inadequate sanitization of FileInfo.Name during shared channel file sync. An attacker can exploit this by sending malicious filenames with path traversal sequences, allowing them to write files to arbitrary locations within the target server's filestore.

Defensive priority

HIGH

Recommended defensive actions

Apply patches or updates provided by Mattermost to address the vulnerability.
Review and update Mattermost configurations to ensure secure file handling and sanitization.
Monitor Mattermost instances for suspicious activity related to file uploads and sync operations.

Evidence notes

The CVE-2026-6961 record was obtained from the official CVE.org database and the NVD detail page.

Official resources

CVE-2026-6961 was published and modified on 2026-06-12T17:16:27.410Z. The vulnerability affects Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, and 10.11.x <= 10.11.16.