Description
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate user-supplied input in API request handlers which allows an authenticated attacker to crash the plugin process via a crafted HTTP request to the PR details endpoint.. Mattermost Advisory ID: MMSA-2026-00638
Published: 2026-05-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mattermost API handlers for the plugin process do not validate user input. A crafted HTTP request to the PR details endpoint can crash the plugin, causing a denial of service for users who rely on the plugin’s functionality. This weakness falls under CWE-1287 and does not expose data but disrupts service continuity.

Affected Systems

The vulnerability affects Mattermost release lines 11.6.x (up to 11.6.0), 11.5.x (up to 11.5.3), 11.4.x (up to 11.4.4) and 10.11.x (up to 10.11.14). All these versions run the GitHub plugin API and are susceptible to a crash via authenticated request patterns.

Risk and Exploitability

The CVSS score of 4.3 reflects a moderate impact. EPSS data is unavailable and the vulnerability is not listed in CISA KEV. Exploitation requires an authenticated Mattermost user to send a specifically crafted request; therefore the attack vector is indirect and requires user engagement. While the attack could bring the plugin process down, it does not compromise data or elevate privileges.

Generated by OpenCVE AI on May 22, 2026 at 12:50 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.7.0, 11.6.1, 11.5.4, 11.4.5, 10.11.15 or higher.

OpenCVE Recommended Actions

  • Apply the official Mattermost update to version 11.7.0 or higher, or newer versions 11.6.1, 11.5.4, 11.4.5, or 10.11.15;
  • If an immediate patch is not possible, restrict access to the GitHub plugin API or disable the plugin to prevent exploitation;
  • Monitor Mattermost logs for suspicious PR details requests and enforce rate limiting to mitigate potential abuse.

Generated by OpenCVE AI on May 22, 2026 at 12:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon
History

Fri, 22 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Fri, 22 May 2026 11:00:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate user-supplied input in API request handlers which allows an authenticated attacker to crash the plugin process via a crafted HTTP request to the PR details endpoint.. Mattermost Advisory ID: MMSA-2026-00638
Title Insufficient input validation in GitHub plugin API causes denial of service
Weaknesses CWE-1287
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-05-22T12:13:19.526Z

Reserved: 2026-03-23T12:22:47.515Z

Link: CVE-2026-4646

cve-icon Vulnrichment

Updated: 2026-05-22T12:13:14.988Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T13:00:13Z

Weaknesses