{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-13426", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2026-06-26T13:32:10.276Z", "datePublished": "2026-06-26T13:47:10.090Z", "dateUpdated": "2026-06-26T14:39:00.126Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "github.com/mattermost/mattermost/server/public", "vendor": "Mattermost", "versions": [{"lessThan": "v0.1.22", "status": "affected", "version": "v0.0.0", "versionType": "semver"}, {"version": "v0.1.22", "status": "unaffected"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Juho Fors\u00e9n"}], "descriptions": [{"lang": "en", "value": "The Mattermost Go module github.com/mattermost/mattermost/server/public versions < v0.1.22 fail to validate path parameters when constructing API route paths which allows an attacker to redirect API calls to unintended endpoints via crafted IDs containing path traversal components. Mattermost Advisory ID: MMSA-2025-00532"}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseSeverity": "MEDIUM", "baseScore": 5.4}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22"}]}], "references": [{"url": "https://mattermost.com/security-updates", "name": "MMSA-2025-00532", "tags": ["vendor-advisory"]}], "solutions": [{"value": "Update the github.com/mattermost/mattermost/server/public module to v0.1.22 or higher.", "lang": "en"}], "source": {"advisory": "MMSA-2025-00532", "defect": ["https://mattermost.atlassian.net/browse/MM-65969"], "discovery": "{\"self\"=>\"https://mattermost.atlassian.net/rest/api/2/customFieldOption/10557\", \"value\"=>\"Internal\", \"id\"=>\"10557\"}"}, "title": "Client4 fails to validate path parameters", "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2026-06-26T13:47:10.090Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-26T14:38:53.805003Z", "id": "CVE-2026-13426", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-26T14:39:00.126Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-13426", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-26T14:38:53.805003Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-26T14:38:56.725Z"}}], "cna": {"title": "Client4 fails to validate path parameters", "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-65969"], "advisory": "MMSA-2025-00532", "discovery": "{\"self\"=>\"https://mattermost.atlassian.net/rest/api/2/customFieldOption/10557\", \"value\"=>\"Internal\", \"id\"=>\"10557\"}"}, "credits": [{"lang": "en", "type": "finder", "value": "Juho Fors\u00e9n"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mattermost", "product": "github.com/mattermost/mattermost/server/public", "versions": [{"status": "affected", "version": "v0.0.0", "lessThan": "v0.1.22", "versionType": "semver"}, {"status": "unaffected", "version": "v0.1.22"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update the github.com/mattermost/mattermost/server/public module to v0.1.22 or higher."}], "references": [{"url": "https://mattermost.com/security-updates", "name": "MMSA-2025-00532", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "The Mattermost Go module github.com/mattermost/mattermost/server/public versions < v0.1.22 fail to validate path parameters when constructing API route paths which allows an attacker to redirect API calls to unintended endpoints via crafted IDs containing path traversal components. Mattermost Advisory ID: MMSA-2025-00532"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2026-06-26T13:47:10.090Z"}}}, "cveMetadata": {"cveId": "CVE-2026-13426", "state": "PUBLISHED", "dateUpdated": "2026-06-26T14:39:00.126Z", "dateReserved": "2026-06-26T13:32:10.276Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2026-06-26T13:47:10.090Z", "assignerShortName": "Mattermost"}, "dataVersion": "5.2"}

{}

{}

{"created": "2026-06-26T15:45:02.970407+00:00", "updated": "2026-06-26T15:45:02.970421+00:00", "vendors": []}