Description
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to limit the size of the request body on the start meeting API endpoint, which allows an authenticated attacker to cause resource exhaustion or denial of service via a crafted oversized HTTP POST request to {{/api/v1/meetings}}.. Mattermost Advisory ID: MMSA-2026-00608
Published: 2026-05-18
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper input validation flaw in the start meeting API endpoint that does not limit the size of the request body. An attacker who has authenticated to the Mattermost server can craft an oversized HTTP POST request to /api/v1/meetings, forcing the application to consume excessive resources and eventually become unavailable. This can result in a denial of service for that particular user session.

Affected Systems

Mattermost Mattermost versions 10.11.0 through 10.11.13, 11.4.0 through 11.4.3, and 11.5.0 through 11.5.1 are affected.

Risk and Exploitability

The CVSS score of 4.3 denotes a low‑to‑moderate risk, while EPSS data is not available, so the exploitation probability is unknown. The vulnerability is not listed in CISA KEV. Attackers need only an authenticated session and the ability to issue HTTP POST requests to the server; a single oversized request can trigger resource exhaustion and a denial of service once limits are exceeded.

Generated by OpenCVE AI on May 18, 2026 at 09:22 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.6.0, 11.5.2, 10.11.14, 11.4.4 or higher.

OpenCVE Recommended Actions

  • Apply the vendor patch by upgrading Mattermost to version 11.6.0 or newer, 11.5.2 or newer, 10.11.14 or newer, or 11.4.4 or newer.
  • Monitor application logs for unusually large POST requests to the /api/v1/meetings endpoint and investigate any anomalies.
  • Configure the web server or reverse proxy to enforce a maximum request body size to prevent similar issues in the future.

Generated by OpenCVE AI on May 18, 2026 at 09:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Mon, 18 May 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Mon, 18 May 2026 08:00:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to limit the size of the request body on the start meeting API endpoint, which allows an authenticated attacker to cause resource exhaustion or denial of service via a crafted oversized HTTP POST request to {{/api/v1/meetings}}.. Mattermost Advisory ID: MMSA-2026-00608
Title Improper Input Validation in MS Teams Meetings API Handler
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-05-18T06:51:47.104Z

Reserved: 2026-02-11T00:04:25.542Z

Link: CVE-2026-2325

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-18T08:16:13.757

Modified: 2026-05-18T08:16:13.757

Link: CVE-2026-2325

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T09:30:22Z

Weaknesses