Description
Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to rate limit login requests which allows unauthenticated remote attackers to cause denial of service (server crash and restart) via HTTP/2 single packet attack with 100+ parallel login requests.. Mattermost Advisory ID: MMSA-2025-00566
Published: 2026-03-25
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

Mattermost Server releases up to 11.4.0, 11.3.1, 11.2.3, and 10.11.11 do not rate‑limit login requests, allowing an unauthenticated attacker to send 100+ parallel HTTP/2 single‑packet login requests. This overwhelms the server and causes a crash with automatic restart, effectively denying service to all users and administrators. The vulnerability corresponds to CWE‑400, indicating a resource‑exhaustion weakness.

Affected Systems

The affected products are Mattermost Server versions 11.4.x (≤11.4.0), 11.3.x (≤11.3.1), 11.2.x (≤11.2.3), and 10.11.x (≤10.11.11). Any installation running these releases, regardless of operating system or deployment model, is susceptible.

Risk and Exploitability

The CVSS base score of 4.3 classifies the issue as low severity, and the EPSS score of less than 1% indicates a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker only needs unauthenticated HTTP/2 traffic to the exposed login endpoint; no privileged access is required. The attack can be executed from any network that can reach the login endpoint, and the impact is the denial of service of the Mattermost service.

Generated by OpenCVE AI on March 26, 2026 at 21:55 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.5.0, 11.4.1, 11.3.2, 11.2.4, 10.11.12 or higher.

OpenCVE Recommended Actions

  • Apply the Mattermost patch: upgrade to version 11.5.0, 11.4.1, 11.3.2, 11.2.4, 10.11.12, or later

Generated by OpenCVE AI on March 26, 2026 at 21:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-247x-7qw8-fp98 Mattermost doesn't rate limit login requests, allowing DoS
References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Fri, 27 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost mattermost Server
CPEs cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
Vendors & Products Mattermost mattermost Server

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to rate limit login requests which allows unauthenticated remote attackers to cause denial of service (server crash and restart) via HTTP/2 single packet attack with 100+ parallel login requests.. Mattermost Advisory ID: MMSA-2025-00566
Title Denial of Service via HTTP/2 single packet attack on login endpoint
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Mattermost Mattermost Mattermost Server
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-03-27T14:59:50.732Z

Reserved: 2026-02-23T22:18:41.232Z

Link: CVE-2026-26233

cve-icon Vulnrichment

Updated: 2026-03-27T14:59:47.026Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T17:16:53.143

Modified: 2026-03-26T18:52:31.740

Link: CVE-2026-26233

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:30:35Z

Weaknesses