Description
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to filter nil elements from outgoing webhook attachment payloads before processing, which allows an authenticated user to cause a denial of service (server process termination) via a crafted webhook callback response containing a null attachment entry.. Mattermost Advisory ID: MMSA-2026-00641
Published: 2026-05-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mattermost fails to exclude nil elements from outgoing webhook attachment payloads before processing. An authenticated user who can create a webhook callback containing a null attachment entry can cause the server process to terminate, resulting in a denial of service. The vulnerability stems from improper handling of nil values during payload rendering and is classified as CWE-754.

Affected Systems

Affected is Mattermost. Versions 11.6.0 or earlier, 11.5.3 or earlier, 11.4.4 or earlier, and 10.11.14 or earlier are vulnerable. The vendor recommends upgrading to 11.7.0, 11.6.1, 11.5.4, 11.4.5, or 10.11.15 and later, respectively.

Risk and Exploitability

The CVSS score is 6.5, indicating moderate risk, and the EPSS score is not available. This issue is not listed in the CISA KEV catalog. The attacker must be an authenticated user with the ability to post messages; such a user can force service termination, causing downtime until the Mattermost process is restarted.

Generated by OpenCVE AI on May 25, 2026 at 09:22 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.7.0, 11.6.1, 11.5.4, 11.4.5, 10.11.15 or higher.

OpenCVE Recommended Actions

  • Upgrade Mattermost to a patched release (11.7.0 or higher, 11.6.1, 11.5.4, 11.4.5, or 10.11.15).
  • If an immediate upgrade is infeasible, restrict or disable outgoing webhook usage for users who do not need this functionality.
  • As a temporary measure, configure custom webhook handlers to validate payloads and reject null attachment entries before processing.

Generated by OpenCVE AI on May 25, 2026 at 09:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Mon, 01 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost mattermost Server
CPEs cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
Vendors & Products Mattermost mattermost Server

Tue, 26 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 25 May 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Mon, 25 May 2026 08:15:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to filter nil elements from outgoing webhook attachment payloads before processing, which allows an authenticated user to cause a denial of service (server process termination) via a crafted webhook callback response containing a null attachment entry.. Mattermost Advisory ID: MMSA-2026-00641
Title Server panic via outgoing webhook responses
Weaknesses CWE-754
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Mattermost Mattermost Mattermost Server
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-05-26T14:43:36.837Z

Reserved: 2026-03-26T17:29:11.040Z

Link: CVE-2026-4915

cve-icon Vulnrichment

Updated: 2026-05-26T14:43:32.260Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-25T08:16:24.897

Modified: 2026-06-01T17:57:36.300

Link: CVE-2026-4915

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T12:00:12Z

Weaknesses
  • CWE-754

    Improper Check for Unusual or Exceptional Conditions