Description
Mattermost Plugins versions <=11.4 11.0.4 11.1.3 11.3.2 10.11.11.0 fail to validate incoming request size which allows an authenticated attacker to cause service disruption via the webhook endpoint. Mattermost Advisory ID: MMSA-2026-00589
Published: 2026-03-26
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

Mattermost plugins allow a webhook endpoint to process incoming requests without validating the request size. An authenticated attacker can send oversized or malformed payloads that overwhelm the service, leading to a loss of availability for all users. The vulnerability is a classic resource exhaustion weakness (CWE‑400). The impact is limited to service disruption and does not expose data or allow code execution.

Affected Systems

Any Mattermost installation running the Zoom plugin on versions up to 11.4, 11.0.4, 11.1.3, 11.3.2, or 10.11.11.0 is affected. These versions fail to enforce request size limits, leaving the webhook endpoint open to abuse.

Risk and Exploitability

The CVSS score of 4.9 indicates a moderate severity. Because the attacker must be authenticated, exploitation requires legitimate access to the Mattermost instance, but a single authenticated user can trigger a denial of service that impacts all users. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, reducing immediate visibility of exploitation. Still, organizations that host Mattermost should treat this as a moderate risk due to its availability impact and the ease of sending crafted requests once authenticated.

Generated by OpenCVE AI on March 26, 2026 at 17:24 UTC.

Remediation

Vendor Solution

Update Mattermost Plugins to versions 11.5.0, 11.4.1, 11.3.2, 11.2.4, 10.11.12 or higher.

OpenCVE Recommended Actions

  • Update Mattermost plugins to a patched version (11.5.0, 11.4.1, 11.3.2, 11.2.4, 10.11.12 or newer).
  • Verify the plugin version on your Mattermost instance using the plugin management interface.
  • If an update momentarily disrupts services, test in a staging environment before redeploying.

Generated by OpenCVE AI on March 26, 2026 at 17:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Thu, 26 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Mattermost Plugins versions <=11.4 11.0.4 11.1.3 11.3.2 10.11.11.0 fail to validate incoming request size which allows an authenticated attacker to cause service disruption via the webhook endpoint. Mattermost Advisory ID: MMSA-2026-00589
Title Improper Input Validation in Zoom Plugin Webhook Handler
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-03-26T17:51:14.971Z

Reserved: 2026-02-24T11:10:17.757Z

Link: CVE-2026-3116

cve-icon Vulnrichment

Updated: 2026-03-26T17:47:33.539Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-03-26T17:16:42.823

Modified: 2026-03-30T13:26:50.827

Link: CVE-2026-3116

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:26:25Z

Weaknesses