{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26233", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2026-02-23T22:18:41.232Z", "datePublished": "2026-03-25T16:24:47.694Z", "dateUpdated": "2026-03-25T16:24:47.694Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "11.4.0", "status": "affected", "version": "11.4.0", "versionType": "semver"}, {"lessThanOrEqual": "11.3.1", "status": "affected", "version": "11.3.0", "versionType": "semver"}, {"lessThanOrEqual": "11.2.3", "status": "affected", "version": "11.2.0", "versionType": "semver"}, {"lessThanOrEqual": "10.11.11", "status": "affected", "version": "10.11.0", "versionType": "semver"}, {"version": "11.5.0", "status": "unaffected"}, {"version": "11.4.1", "status": "unaffected"}, {"version": "11.3.2", "status": "unaffected"}, {"version": "11.2.4", "status": "unaffected"}, {"version": "10.11.12", "status": "unaffected"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Axel Larsson & Jakob Ristner"}], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to rate limit login requests which allows unauthenticated remote attackers to cause denial of service (server crash and restart) via HTTP/2 single packet attack with 100+ parallel login requests.. Mattermost Advisory ID: MMSA-2025-00566"}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseSeverity": "MEDIUM", "baseScore": 4.3}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-400 Uncontrolled Resource Consumption", "cweId": "CWE-400"}]}], "references": [{"url": "https://mattermost.com/security-updates", "name": "MMSA-2025-00566", "tags": ["vendor-advisory"]}], "solutions": [{"value": "Update Mattermost to versions 11.5.0, 11.4.1, 11.3.2, 11.2.4, 10.11.12 or higher.", "lang": "en"}], "source": {"advisory": "MMSA-2025-00566", "defect": ["https://mattermost.atlassian.net/browse/MM-66885"], "discovery": "EXTERNAL"}, "title": "Denial of Service via HTTP/2 single packet attack on login endpoint", "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2026-03-25T16:24:47.694Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to rate limit login requests which allows unauthenticated remote attackers to cause denial of service (server crash and restart) via HTTP/2 single packet attack with 100+ parallel login requests.. Mattermost Advisory ID: MMSA-2025-00566"}], "id": "CVE-2026-26233", "lastModified": "2026-03-25T17:16:53.143", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}, "published": "2026-03-25T17:16:53.143", "references": [{"source": "responsibledisclosure@mattermost.com", "url": "https://mattermost.com/security-updates"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:26:11.636139+00:00", "value": {"mitigation_remediation": ["Update Mattermost to version 11.5.0, 11.4.1, 11.3.2, 11.2.4, 10.11.12 or newer", "If an update is not immediately possible, disable or restrict HTTP/2 connections to the Mattermost service", "Implement or enable login request throttling at the application or network level", "Monitor server logs for anomalous login activity and block offending IP addresses"], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Mattermost servers running versions 11.4.x up to and including 11.4.0, 11.3.x up to 11.3.1, 11.2.x up to 11.2.3, and 10.11.x up to 10.11.11. Vulnerable releases are listed by the vendor. All other, newer Mattermost releases are reported as unaffected.", "description_and_impact": "Mattermost versions before 11.4.1, 11.3.2, 11.2.4, and 10.11.12 lack rate limiting on the login endpoint. An unauthenticated attacker can send a single HTTP/2 packet that triggers 100 or more parallel login requests. The missing limit causes the server to crash and restart, resulting in an interruption of service. The weakness corresponds to CWE\u2011400, Uncontrolled Resource Consumption.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity. EPSS data is not available, but the absence of rate limiting makes exploitation straightforward for remote attackers able to initiate HTTP/2 connections. The vulnerability is not present in the CISA KEV catalog. A likely attack vector is an unauthenticated remote attacker sending a crafted HTTP/2 packet to the login endpoint to exhaust server resources and force a restart."}}}}, "created": "2026-03-25T21:46:59.265502+00:00", "updated": "2026-03-25T21:46:59.265548+00:00", "vendors": []}