Description
Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to validate the length and content of message attachment field values, which allows an authenticated attacker to cause a denial of service for all users in a channel via a post containing a specially crafted payload that triggers catastrophic backtracking in the client-side markdown parser.. Mattermost Advisory ID: MMSA-2026-00658
Published: 2026-07-13
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mattermost versions 11.7.x through 10.11.x fail to validate the length and content of message attachment fields, allowing an authenticated user to embed a specially crafted payload that triggers catastrophic backtracking in the client‑side markdown parser. The flaw leads to a denial of service for all users in a channel by exhausting client resources and rendering the interface unresponsive. The weakness is a regex backtracking issue, identified as CWE‑1333, which directly impacts application availability.

Affected Systems

The vulnerability affects Mattermost products from version 10.11.0 to 10.11.19, 11.6.0 to 11.6.4, and 11.7.0 to 11.7.2. Any installation of Mattermost within these version ranges is susceptible. Administrators should verify the installed release against these affected ranges.

Risk and Exploitability

The CVSS score of 6.5 reflects a moderate severity, and the exploitability is reasonable given the requirement for authentication and the presence of a crafted payload. Because the attack occurs client‑side, malicious content can be shared through normal posting mechanisms; an attacker in a channel can simply post the payload and cause a distributed service disruption for all users. While there is no EPSS score available and the vulnerability is not listed in the CISA KEV catalog, the potential for channel‑wide denial of service is significant for teams relying on continuous collaboration.

Generated by OpenCVE AI on July 13, 2026 at 17:24 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.8.0, 11.7.3, 11.6.5, 10.11.20 or higher.


OpenCVE Recommended Actions

  • Apply the official update to Mattermost version 11.8.0 or any newer release that mitigates the markdown parser problem
  • Ensure that the updated version is deployed consistently across all servers and clients in your environment
  • After updating, verify that the attachment length and content validation logic behaves as expected and that no denial of service occurs when posting large or complex attachments
  • Consider implementing a minimum verification layer that rejects overly large attachments before they reach the client to serve as a supplemental defense if a patch delay is unavoidable

Generated by OpenCVE AI on July 13, 2026 at 17:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
History

Mon, 13 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 13 Jul 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Mon, 13 Jul 2026 08:45:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to validate the length and content of message attachment field values, which allows an authenticated attacker to cause a denial of service for all users in a channel via a post containing a specially crafted payload that triggers catastrophic backtracking in the client-side markdown parser.. Mattermost Advisory ID: MMSA-2026-00658
Title Crafted message attachment causes client-side denial of service via markdown parser regex backtracking in Mattermost
Weaknesses CWE-1333
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}


Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-07-13T13:56:16.767Z

Reserved: 2026-04-22T10:05:15.625Z

Link: CVE-2026-6850

cve-icon Vulnrichment

Updated: 2026-07-13T13:56:13.167Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-13T17:30:04Z

Weaknesses
  • CWE-1333

    Inefficient Regular Expression Complexity