CVE-2026-13426
MediumCVSS 5.4Summary
The Mattermost Go module github.com/mattermost/mattermost/server/public versions < v0.1.22 fail to validate path parameters when constructing API route paths which allows an attacker to redirect API calls to unintended endpoints via crafted IDs containing path traversal components.
Risk Assessment
An attacker may gain access to unauthorized resources or perform operations on unintended API endpoints, potentially leading to data leakage or privilege escalation.
Recommendation
Immediately update the module github.com/mattermost/mattermost/server/public to version v0.1.22 or later.
Original NVD description (English source)
The Mattermost Go module github.com/mattermost/mattermost/server/public versions < v0.1.22 fail to validate path parameters when constructing API route paths which allows an attacker to redirect API calls to unintended endpoints via crafted IDs containing path traversal components. Mattermost Advisory ID: MMSA-2025-00532

