Description
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate 7zip archive structure before processing which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted 7zip file with excessive folder declarations.. Mattermost Advisory ID: MMSA-2026-00573
Published: 2026-05-18
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Authenticated attackers can upload a specially crafted 7zip archive that contains an excessive number of folder declarations. The Mattermost server fails to validate the archive structure before extracting it, which causes the process to allocate large amounts of memory and ultimately exhaust the system’s resources. This leads to a denial‑of‑service condition that can render the Mattermost service unable to respond to legitimate users.

Affected Systems

The vulnerability affects Mattermost versions 11.5.x through 11.5.1, 10.11.x through 10.11.13, and 11.4.x through 11.4.3. The affected product is the Mattermost server application; the problem surfaces when authenticated users upload 7zip files to the server.

Risk and Exploitability

The CVSS score of 4.3 indicates a medium severity, but only attackers with authentication are able to trigger the issue. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Because the flaw requires an authenticated user, an attacker would need access to legitimate credentials to exploit it, but once able, they can induce a DoS that may impact availability for all users. The lack of a publicly known exploit and the moderate CVSS mitigate the immediate threat, though the DoS potential remains significant for affected deployments.

Generated by OpenCVE AI on May 18, 2026 at 09:50 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.6.0, 11.5.2, 10.11.14, 11.4.4 or higher.

OpenCVE Recommended Actions

  • Update Mattermost to versions 11.6.0, 11.5.2, 10.11.14, 11.4.4 or higher.
  • Restrict 7zip file uploads to trusted users only and enforce file size limits
  • Implement monitoring to detect abnormal memory usage and immediately suspend uploads if thresholds are exceeded
  • Consider disabling archive extraction for unauthenticated uploads until a patch is applied

Generated by OpenCVE AI on May 18, 2026 at 09:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Mon, 18 May 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Mon, 18 May 2026 08:00:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate 7zip archive structure before processing which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted 7zip file with excessive folder declarations.. Mattermost Advisory ID: MMSA-2026-00573
Title Memory Exhaustion via Malicious 7zip File Upload
Weaknesses CWE-789
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-05-18T07:08:56.863Z

Reserved: 2026-04-15T10:30:19.937Z

Link: CVE-2026-6340

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-18T08:16:14.450

Modified: 2026-05-18T08:16:14.450

Link: CVE-2026-6340

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T10:00:13Z

Weaknesses