Description
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to handle incorrectly reported array lengths which allows malicious user to cause OOM errors and crash the server via sending corrupted msgpack frames within websocket messages to calls plugin. Mattermost Advisory ID: MMSA-2025-00537
Published: 2026-03-16
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

Mattermost server versions 11.3.x through 11.3.0, 11.2.x through 11.2.2, and 10.11.x through 10.11.10 fail to correctly handle incorrectly reported array lengths in MsgPack frames sent via WebSocket to the Calls plugin. The resulting out‑of‑memory error causes the server process to crash, creating a denial‑of‑service condition for all users. This weakness is identified as CWE‑1287 (Incorrect Handling of Array Lengths).

Affected Systems

Affected systems are Mattermost installations running any of the following: 11.3.x up to and including 11.3.0, 11.2.x up to and including 11.2.2, or 10.11.x up to and including 10.11.10. The vendor recommends updating the server to 11.4.0, 11.3.1, 11.2.3, 10.11.11, or a subsequent release that includes the fix.

Risk and Exploitability

The CVSS score of 5.8 indicates moderate impact with a medium level of complexity. The EPSS value of less than 1% suggests a low probability that exploitation will occur in the wild, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the attack vector is likely remote; an attacker can send specially crafted WebSocket messages to the Calls plugin to trigger the crash. The impacts affect confidentiality and integrity indirectly by disrupting service availability for all users on the affected Mattermost server.

Generated by OpenCVE AI on March 18, 2026 at 15:26 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.4.0, 11.3.1, 11.2.3, 10.11.11 or higher.

OpenCVE Recommended Actions

  • Apply the official Mattermost patch by upgrading to server version 11.4.0, 11.3.1, 11.2.3, 10.11.11, or newer.

Generated by OpenCVE AI on March 18, 2026 at 15:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Wed, 18 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost mattermost Server
CPEs cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
Vendors & Products Mattermost mattermost Server

Tue, 17 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Mon, 16 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to handle incorrectly reported array lengths which allows malicious user to cause OOM errors and crash the server via sending corrupted msgpack frames within websocket messages to calls plugin. Mattermost Advisory ID: MMSA-2025-00537
Title DoS in Calls plugin via malformed msgpack in websocket request.
Weaknesses CWE-1287
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L'}

Subscriptions

Mattermost Mattermost Mattermost Server
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-03-17T13:37:43.947Z

Reserved: 2026-02-13T10:11:47.778Z

Link: CVE-2026-2454

cve-icon Vulnrichment

Updated: 2026-03-17T13:37:40.901Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T21:16:33.890

Modified: 2026-03-18T13:56:03.590

Link: CVE-2026-2454

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:49:49Z

Weaknesses