CVE-2026-13426 Overview
CVE-2026-13426 is a path traversal vulnerability [CWE-22] in the Mattermost Go module github.com/mattermost/mattermost/server/public at versions prior to v0.1.22. The module fails to validate path parameters when constructing API route paths. An authenticated attacker can supply crafted IDs containing path traversal components to redirect API calls to unintended endpoints. Mattermost tracks this issue as advisory MMSA-2025-00532.
Critical Impact
Authenticated attackers can manipulate API route construction to reach unintended endpoints, resulting in limited confidentiality and integrity impact on the Mattermost server.
Affected Products
- Mattermost Go module github.com/mattermost/mattermost/server/public versions < v0.1.22
- Applications and services that consume the affected module for API route construction
- Mattermost deployments referencing advisory MMSA-2025-00532
Discovery Timeline
- 2026-06-26 - CVE-2026-13426 published to NVD
- 2026-06-26 - Last updated in NVD database
Technical Details for CVE-2026-13426
Vulnerability Analysis
The affected Go module constructs API route paths by concatenating caller-supplied identifiers into URL templates without validating that those identifiers conform to expected formats. When an identifier includes path traversal sequences such as ../, the resulting request URL resolves to a different endpoint than the calling code intended. The server routes the request to the traversed endpoint, executing whatever handler is registered there under the attacker's authenticated session.
The issue is classified as Improper Limitation of a Pathname to a Restricted Directory [CWE-22]. Exploitation requires network access and low-privilege authentication, but no user interaction. The Exploit Prediction Scoring System (EPSS) reports a low probability of exploitation activity in the wild at the time of publication.
Root Cause
The root cause is missing input validation on ID parameters passed to route-building helpers inside the server/public module. Callers assume the module treats identifiers as opaque strings, but the module inserts them directly into path templates. Any character with routing significance, including / and ., changes the resolved endpoint rather than being rejected or percent-encoded.
Attack Vector
An authenticated user submits an API request in which an ID field contains path traversal segments. The vulnerable route builder joins the malicious ID with the base path, producing a URL that escapes the intended resource scope. The server then dispatches the request to a different handler, allowing the attacker to invoke API operations that were not exposed by the original client flow. The impact is bounded to endpoints reachable by the attacker's existing privileges, but includes unintended read and write operations against the Mattermost API surface.
No public proof-of-concept exploit is currently available. Refer to the Mattermost Security Updates portal for advisory MMSA-2025-00532 details.
Detection Methods for CVE-2026-13426
Indicators of Compromise
- API request logs containing .., %2e%2e, %2f, or literal / characters inside path parameters that normally hold opaque IDs such as user, channel, team, or post identifiers.
- HTTP requests where the resolved route differs from the route template expected for the client action.
- Unexpected 2xx responses from administrative or cross-resource endpoints triggered by low-privilege sessions.
Detection Strategies
- Parse Mattermost access logs and alert on requests whose path segments corresponding to IDs do not match the expected identifier format (for example, 26-character alphanumeric IDs).
- Compare the declared client action with the resolved server route and flag mismatches for review.
- Correlate authenticated session identifiers with anomalous endpoint access patterns over short time windows.
Monitoring Recommendations
- Enable verbose API access logging on Mattermost servers and forward logs to a centralized analytics platform.
- Track baseline endpoint access distributions per role and alert on deviations following the disclosure date.
- Monitor outbound API traffic from applications that embed the server/public module for encoded traversal sequences.
How to Mitigate CVE-2026-13426
Immediate Actions Required
- Upgrade the github.com/mattermost/mattermost/server/public Go module to v0.1.22 or later in all consuming services.
- Rebuild and redeploy any internal tools, bots, or integrations that vendor the affected module.
- Review recent API logs for evidence of traversal patterns in ID parameters.
Patch Information
Upgrade the affected Go module to version v0.1.22, which introduces validation of path parameters before they are inserted into API route templates. Consult the Mattermost Security Updates portal and advisory MMSA-2025-00532 for the complete patch matrix and any server-side updates that must be applied alongside the module upgrade.
Workarounds
- Enforce strict server-side validation of ID path parameters to reject any value containing /, \, or . sequences.
- Place a reverse proxy or Web Application Firewall (WAF) rule in front of Mattermost to block requests whose ID segments contain encoded or literal traversal characters.
- Restrict API tokens and session privileges to the minimum required scope until the module upgrade is deployed.
# Update the Mattermost Go module to the fixed version
go get github.com/mattermost/mattermost/server/public@v0.1.22
go mod tidy
go build ./...
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

