CVE-2026-26246 - Vulnerability Details

- Memory Exhaustion via Malformed PSD File Upload

Description

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing PSD image files which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted PSD file. Mattermost Advisory ID: MMSA-2026-00572

Published: 2026-03-16

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Mattermost versions 11.3.x (≤11.3.0), 11.2.x (≤11.2.2), and 10.11.x (≤10.11.10) do not bound memory allocation when processing PSD image files. This weakness, identified as CWE‑789, allows an authenticated attacker to upload a specially crafted PSD file that causes the server to allocate more memory than intended, exhausting system memory and resulting in a denial of service.

Affected Systems

The affected product is Mattermost Server. The vulnerable releases are 11.3.x up to 11.3.0, 11.2.x up to 11.2.2, and 10.11.x up to 10.11.10. Official fixes are delivered to 11.4.0, 11.3.1, 11.2.3, 10.11.11, and later versions.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, while an EPSS score of less than 1% suggests a low probability of active exploitation. The vulnerability is not listed in the CISA KEV catalog. Because the flaw requires authentication with upload privileges, it is most likely to be exploited by internal users or actors who can join the system. Exploitation results in server memory exhaustion and a temporary denial of service; full system compromise is not indicated in the description.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mattermost

unaffected

Version	Status	Constraints
`11.3.0`	affected	≤ 11.3.0
`11.2.0`	affected	≤ 11.2.2
`10.11.0`	affected	≤ 10.11.10
`11.4.0`	unaffected	—
`11.3.1`	unaffected	—
`11.2.3`	unaffected	—
`10.11.11`	unaffected	—

Configuration 1 [-]

OR	cpe:2.3:a:mattermost:mattermost_server::::::::
	cpe:2.3:a:mattermost:mattermost_server::::::::
	cpe:2.3:a:mattermost:mattermost_server::::::::

No data.

Vendor Product Confidence Versions

Mattermost

100%

Version	Status	Scheme	Platform
`11.3.0`	affected	semver	—
`[11.2.0,11.2.2]`	affected	semver	—
`[10.11.0,10.11.10]`	affected	semver	—
`11.4.0`	unaffected	semver	—
`11.3.1`	unaffected	semver	—
`11.2.3`	unaffected	semver	—
`10.11.11`	unaffected	semver	—

Mattermost

Server

90%

Version	Status	Scheme	Platform
`[0,*]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Update Mattermost to versions 11.4.0, 11.3.1, 11.2.3, 10.11.11 or higher.

OpenCVE Recommended Actions

Update Mattermost to version 11.4.0, 11.3.1, 11.2.3, 10.11.11 or newer, as released by Mattermost
If patching cannot be performed immediately, restrict PSD uploads to trusted users only and monitor server memory usage for abnormal spikes

Generated by OpenCVE AI on March 18, 2026 at 20:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-44mv-jq72-gj49	Mattermost fails to bound memory allocation when processing PSD image files

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00052.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://mattermost.com/security-updates

History

Mon, 30 Mar 2026 07:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mattermost mattermost Mattermost server
Vendors & Products		Mattermost mattermost Mattermost server

Wed, 18 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mattermost Mattermost mattermost Server
CPEs		cpe:2.3:a:mattermost:mattermost_server::::::::
Vendors & Products		Mattermost Mattermost mattermost Server

Mon, 16 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 16 Mar 2026 11:45:00 +0000

Type	Values Removed	Values Added
Description		Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing PSD image files which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted PSD file. Mattermost Advisory ID: MMSA-2026-00572
Title		Memory Exhaustion via Malformed PSD File Upload
Weaknesses		CWE-789
References		https://mattermost.com/security-updates
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}`

Subscriptions

Mattermost Mattermost Mattermost Server Server

MITRE

Status: PUBLISHED

Assigner: Mattermost

Published: 2026-03-16T11:33:02.591Z

Updated: 2026-03-16T13:49:57.467Z

Reserved: 2026-02-13T10:39:47.105Z

Link: CVE-2026-26246

Vulnrichment

Updated: 2026-03-16T13:44:11.492Z

NVD

Status : Analyzed

Published: 2026-03-16T14:18:26.880

Modified: 2026-03-18T18:03:54.180

Link: CVE-2026-26246

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-30T07:02:43Z

Weaknesses

CWE-789

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object