CVE-2026-6957

Vulnerability

Mattermost Plugins versions <=1.1.5 fail to sanitize filenames received from federated peers before using them to construct export destination paths. This path traversal vulnerability exists in the shared-channel attachment sync protocol, where a filename delivered via federation can contain path traversal sequences like ../, enabling writing outside the intended directory.

Exploitation

An attacker must be an administrator of a remote federated Mattermost server. Through the shared-channel attachment sync mechanism, the attacker sends a malicious filename containing path traversal sequences. The target server does not validate the filename before constructing the export destination path, allowing the file to be written to an arbitrary location within the target server's filestore. No additional user interaction is required on the target side.

Impact

Successful exploitation allows the administrator of a federated server to write files to arbitrary locations within the target server's filestore. This can lead to unauthorized file creation, overwriting of critical files, and potentially elevation of privileges or code execution depending on the writable paths accessible. The confidentiality, integrity, and availability of the target system may be compromised.

Mitigation

Mattermost has addressed this issue in a security update. Users should upgrade to Mattermost Plugins version 1.1.6 or later, as the fix was included in the release corresponding to advisory MMSA-2026-00659 [1]. No workarounds are documented; upgrading is the recommended mitigation.