CVE-2026-2456 - Vulnerability Details

- Denial of Service via Unbounded Memory Allocation in Integration Actions

Description

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 Mattermost fails to limit the size of responses from integration action endpoints, which allows an authenticated attacker to cause server memory exhaustion and denial of service via a malicious integration server that returns an arbitrarily large response when a user clicks an interactive message button.. Mattermost Advisory ID: MMSA-2026-00571

Published: 2026-03-16

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Mattermost fails to limit the size of responses from integration action endpoints, as stated in the vendor description: "Mattermost fails to limit the size of responses from integration action endpoints", allowing an authenticated attacker who controls a malicious integration server to trigger unbounded memory allocation. When a user clicks an interactive message button, the server processes an arbitrarily large payload and exhausts its memory, resulting in a denial of service. This weakness is identified as CWE-789, Uncontrolled Resource Consumption (CVE description).

Affected Systems

The affected product is Mattermost Server. Vulnerable releases are 11.3.x through 11.3.0, 11.2.x through 11.2.2, and 10.11.x through 10.11.10. The vendor recommends upgrading to fixed versions 11.4.0, 11.3.1, 11.2.3, or 10.11.11 or later (vendor solution).

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity (scores). The EPSS score is less than 1%, reflecting a low likelihood of exploitation (scores). This vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated Mattermost user with access to an integration endpoint; when triggered, the server may become unavailable until memory is reclaimed or the service is restarted. Overall risk is moderate, but the probability remains low due to prerequisites.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mattermost

unaffected

Version	Status	Constraints
`11.3.0`	affected	≤ 11.3.0
`11.2.0`	affected	≤ 11.2.2
`10.11.0`	affected	≤ 10.11.10
`11.4.0`	unaffected	—
`11.3.1`	unaffected	—
`11.2.3`	unaffected	—
`10.11.11`	unaffected	—

Configuration 1 [-]

OR	cpe:2.3:a:mattermost:mattermost_server::::::::
	cpe:2.3:a:mattermost:mattermost_server::::::::
	cpe:2.3:a:mattermost:mattermost_server::::::::

No data.

Vendor Product Confidence Versions

Mattermost

100%

Version	Status	Scheme	Platform
`[11.3.0,11.3.0]`	affected	semver	—
`[11.2.0,11.2.2]`	affected	semver	—
`[10.11.0,10.11.10]`	affected	semver	—
`[11.4.0,11.4.0]`	unaffected	semver	—
`[11.3.1,11.3.1]`	unaffected	semver	—
`[11.2.3,11.2.3]`	unaffected	semver	—
`[10.11.11,10.11.11]`	unaffected	semver	—

Mattermost

Server

95%

Version	Status	Scheme	Platform
`[0,*]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Update Mattermost to versions 11.4.0, 11.3.1, 11.2.3, 10.11.11 or higher.

OpenCVE Recommended Actions

Upgrade Mattermost to a fixed version (11.4.0, 11.3.1, 11.2.3, 10.11.11 or later).
If an upgrade cannot be applied immediately, restrict integration responses to a safe size and monitor server memory for abnormal usage.

Generated by OpenCVE AI on March 18, 2026 at 19:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-34g8-9fpp-46ch	Mattermost fails to limit the size of responses from integration action endpoints

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00042.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://mattermost.com/security-updates

History

Mon, 30 Mar 2026 07:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mattermost mattermost Mattermost server
Vendors & Products		Mattermost mattermost Mattermost server

Wed, 18 Mar 2026 18:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mattermost Mattermost mattermost Server
CPEs		cpe:2.3:a:mattermost:mattermost_server::::::::
Vendors & Products		Mattermost Mattermost mattermost Server

Mon, 16 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 16 Mar 2026 11:30:00 +0000

Type	Values Removed	Values Added
Description		Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 Mattermost fails to limit the size of responses from integration action endpoints, which allows an authenticated attacker to cause server memory exhaustion and denial of service via a malicious integration server that returns an arbitrarily large response when a user clicks an interactive message button.. Mattermost Advisory ID: MMSA-2026-00571
Title		Denial of Service via Unbounded Memory Allocation in Integration Actions
Weaknesses		CWE-789
References		https://mattermost.com/security-updates
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H'}`

Subscriptions

Mattermost Mattermost Mattermost Server Server

MITRE

Status: PUBLISHED

Assigner: Mattermost

Published: 2026-03-16T11:06:44.920Z

Updated: 2026-03-16T13:49:58.650Z

Reserved: 2026-02-13T11:02:52.828Z

Link: CVE-2026-2456

Vulnrichment

Updated: 2026-03-16T13:44:23.990Z

NVD

Status : Analyzed

Published: 2026-03-16T14:19:29.190

Modified: 2026-03-18T18:27:57.000

Link: CVE-2026-2456

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-30T07:02:49Z

Weaknesses

CWE-789

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object