Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
3DescriptionCVE.org
Mattermost Plugins versions <=2.3.1 fail to limit the request body size on the {{/lifecycle}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00610
AnalysisAI
Mattermost Plugins versions 2.3.1 and earlier allow unauthenticated remote attackers to trigger denial of service by sending oversized JSON payloads to the /lifecycle webhook endpoint, causing memory exhaustion due to missing request body size validation. CVSS 3.7 reflects low severity despite network accessibility; EPSS and active exploitation status not independently confirmed from available data.
Technical ContextAI
The vulnerability exists in the /lifecycle webhook endpoint within Mattermost Plugins, a critical component that processes lifecycle events for plugin management. The root cause is classified as CWE-770 (Allocation of Resources Without Limits or Throttling), indicating that the endpoint fails to enforce restrictions on the size of incoming request payloads. When an attacker sends a crafted JSON request body without size constraints, the server allocates memory to parse and buffer this data, exhausting available heap memory and triggering a denial of service condition. The affected product is identified by CPE cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:* for all Mattermost installations running vulnerable Plugins versions.
RemediationAI
Upgrade Mattermost Plugins to a version greater than 2.3.1 to obtain the patch. Exact patched version numbers are not specified in the advisory reference provided; consult https://mattermost.com/security-updates (Mattermost Advisory ID: MMSA-2026-00610) for specific release versions and upgrade procedures. As an interim workaround pending patching, implement network-level rate limiting and request size limits (e.g., via reverse proxy or WAF rules) on the /lifecycle endpoint to reject payloads exceeding a reasonable threshold for legitimate webhook traffic. Additionally, restrict access to the /lifecycle endpoint to trusted sources if operationally feasible.
More in Mattermost
View allDenial of service in linkify-it (npm) through v5.0.0 lets remote unauthenticated attackers wedge a rendering worker by s
A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large auto
Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded w
Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perf
Fleet is an open source osquery manager. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invit
Dex is a federated OpenID Connect provider written in Go. Rated critical severity (CVSS 9.6), this vulnerability is remo
Improper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers t
Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, wh
Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker posse
Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding gr
Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20880
GHSA-x274-8qfc-hrgf