Description
Mattermost Plugins versions <=2.3.1 fail to limit the request body size on the {{/lifecycle}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00610
Published: 2026-04-09
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

Mattermost plugin versions up to and including 2.3.1 permit an authenticated attacker to directly trigger a memory exhaustion condition by sending an oversized JSON payload to the {{/lifecycle}} webhook endpoint. This flaw leads to a denial of service, as the system allocates excessive memory and may become unresponsive or crash. The weakness is a classic unbounded request body read, corresponding to CWE‑770.

Affected Systems

The issue affects the Mattermost plugin system. Any installation of Mattermost plugins at version 2.3.1 or older is vulnerable, regardless of the overall Mattermost server version. The vulnerability requires the attacker to be authenticated to the platform.

Risk and Exploitability

The CVSS score of 3.7 indicates moderate severity. No EPSS data and the vulnerability is not listed in CISA’s KEV catalog, suggesting no documented widespread exploitation. However, exploitation requires the attacker to possess valid credentials and to craft a large JSON payload to the webhook; once achieved, the attack is straightforward and results in service disruption.

Generated by OpenCVE AI on April 9, 2026 at 11:20 UTC.

Remediation

Vendor Solution

Update Mattermost Plugins to versions 2.3.2.0 or higher.

OpenCVE Recommended Actions

  • Apply the vendor patch: update Mattermost plugins to version 2.3.2.0 or higher

Generated by OpenCVE AI on April 9, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Sat, 25 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost mattermost Server
CPEs cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:* cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
Vendors & Products Mattermost mattermost Server

Fri, 17 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Thu, 09 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
Description Mattermost Plugins versions <=2.3.1 fail to limit the request body size on the {{/lifecycle}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00610
Title Unbounded Request Body Read in MS Teams Plugin {{/lifecycle}} Webhook Endpoint
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Mattermost Mattermost Mattermost Server
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-04-09T11:44:54.614Z

Reserved: 2026-02-11T20:56:06.579Z

Link: CVE-2026-21388

cve-icon Vulnrichment

Updated: 2026-04-09T11:44:50.805Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T11:16:20.897

Modified: 2026-04-25T18:02:06.810

Link: CVE-2026-21388

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:32:56Z

Weaknesses