Description
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to archive the channel before removing persistent notifications which allows authenticated user to crash the server via timing the creation of persistent notification message between the server deleting existing persistent notifications and archiving the channel.. Mattermost Advisory ID: MMSA-2026-00637
Published: 2026-05-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mattermost versions in the 11.6.x, 11.5.x, 11.4.x, and 10.11.x branches contain a concurrency flaw that prevents the server from archiving a channel before removing persistent notifications. An authenticated user can exploit this timing mismatch by creating a persistent notification just after the server deletes existing notifications and before it archives the channel, causing a crash that results in a denial of service.

Affected Systems

The vulnerability impacts all Mattermost installations running 11.6.x up to and including 11.6.0, 11.5.x up to 11.5.3, 11.4.x to 11.4.4, and 10.11.x to 10.11.14. Versions 11.7.0, 11.6.1, 11.5.4, 11.4.5, and 10.11.15 or newer contain the fix.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and the EPSS score is not available, so the exploitation likelihood is uncertain but potentially significant. The vulnerability is not included in the CISA KEV catalog. Because it requires authenticated access, the attack surface is limited to users with permission to create persistent notifications, but the impact—server crash—is critical.

Generated by OpenCVE AI on May 22, 2026 at 12:20 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.7.0, 11.6.1, 11.5.4, 11.4.5, 10.11.15 or higher.

OpenCVE Recommended Actions

  • Update Mattermost to at least 11.7.0, 11.6.1, 11.5.4, 11.4.5, or 10.11.15 and newer, ensuring all nodes use the same patched version.
  • Enforce strict permission policies so that only trusted administrators can create persistent notifications, and audit user roles to reduce the risk of abuse.
  • Continuously monitor server logs for exception patterns that may indicate attempts to trigger the timing flaw and alert on repeated crash attempts.

Generated by OpenCVE AI on May 22, 2026 at 12:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon
History

Fri, 22 May 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Fri, 22 May 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 11:00:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to archive the channel before removing persistent notifications which allows authenticated user to crash the server via timing the creation of persistent notification message between the server deleting existing persistent notifications and archiving the channel.. Mattermost Advisory ID: MMSA-2026-00637
Title Persistent notification timing attack causing server denial of service
Weaknesses CWE-362
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-05-22T12:06:16.773Z

Reserved: 2026-03-23T08:41:57.555Z

Link: CVE-2026-4635

cve-icon Vulnrichment

Updated: 2026-05-22T12:06:13.664Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T13:00:12Z

Weaknesses