Description
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to enforce request body size limits on plugin HTTP endpoints which allows an attacker to cause a denial of service via crafted oversized HTTP requests.. Mattermost Advisory ID: MMSA-2026-00646
Published: 2026-05-22
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mattermost plugin HTTP endpoints fail to enforce request body size limits, permitting attackers to send arbitrarily large payloads that exhaust server resources, resulting in service disruption. This weakness is classified as CWE-400, uncontrolled resource consumption. The impact is a denial of service that could affect any component that accepts requests to those endpoints, without providing any user authentication or input validation.

Affected Systems

Mattermost instances running versions 11.6.x through 11.6.0, 11.5.x through 11.5.3, 11.4.x through 11.4.4, or 10.11.x through 10.11.14 are vulnerable; newer releases are not affected.

Risk and Exploitability

The CVSS score of 4.9 denotes a moderate severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, with an attacker able to craft oversized HTTP requests over the network to the exposed plugin endpoints; no authentication is required. Although no publicly known exploits exist, the lack of a request size limit means that a malicious client can trigger a denial of service under any circumstances where a large payload is accepted.

Generated by OpenCVE AI on May 22, 2026 at 12:51 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.7.0, 11.6.1, 11.5.4, 11.4.5, 10.11.15 or higher.

OpenCVE Recommended Actions

  • Update Mattermost to version 11.7.0, 11.6.1, 11.5.4, 11.4.5, 10.11.15 or later as provided by the vendor
  • If an immediate update is not possible, configure an upstream proxy or firewall to enforce a reasonable maximum request body size (e.g., 8 MB) before the request reaches the Mattermost service
  • Monitor system logs and metrics for abnormal request sizes or repeated service interruptions to detect potential exploitation

Generated by OpenCVE AI on May 22, 2026 at 12:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon
History

Fri, 22 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Fri, 22 May 2026 11:00:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to enforce request body size limits on plugin HTTP endpoints which allows an attacker to cause a denial of service via crafted oversized HTTP requests.. Mattermost Advisory ID: MMSA-2026-00646
Title Missing request body size limits on Zoom plugin HTTP endpoints
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-05-22T12:14:58.221Z

Reserved: 2026-04-01T10:35:26.431Z

Link: CVE-2026-5308

cve-icon Vulnrichment

Updated: 2026-05-22T12:14:55.248Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T13:00:13Z

Weaknesses