Moderate severityNVD Advisory· Published Aug 22, 2024· Updated Aug 22, 2024

One-click Client-Side Path Traversal Leading to CSRF in User Management admin page

CVE-2024-40886

Description

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in User Management page of the system console.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/mattermost/mattermost/server/v8Go	>= 9.9.0, < 9.9.2	9.9.2
github.com/mattermost/mattermost/server/v8Go	>= 9.5.0, < 9.5.8	9.5.8
github.com/mattermost/mattermost/server/v8Go	>= 9.10.0, < 9.10.1	9.10.1
github.com/mattermost/mattermost/server/v8Go	>= 9.8.0, < 9.8.3	9.8.3

Affected products

Mattermost/Mattermostv5
Range: 9.9.0

Patches

43355fe32a95

https://github.com/mattermost/mattermost-servervia osv

cd60532e9a41

https://github.com/mattermost/mattermost-servervia osv

7bbf7ec13048

https://github.com/mattermost/mattermost-servervia osv

23993132c67b

https://github.com/mattermost/mattermost-servervia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-hrf9-rm95-fpf3ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-40886ghsaADVISORY
mattermost.com/security-updatesghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000