Skip to main content

Mattermost CVE-2026-21388

| EUVDEUVD-2026-20880 LOW
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-04-09 Mattermost GHSA-x274-8qfc-hrgf
3.7
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Apr 09, 2026 - 10:30 euvd
EUVD-2026-20880
Analysis Generated
Apr 09, 2026 - 10:30 vuln.today
CVE Published
Apr 09, 2026 - 10:09 nvd
LOW 3.7

DescriptionCVE.org

Mattermost Plugins versions <=2.3.1 fail to limit the request body size on the {{/lifecycle}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00610

AnalysisAI

Mattermost Plugins versions 2.3.1 and earlier allow unauthenticated remote attackers to trigger denial of service by sending oversized JSON payloads to the /lifecycle webhook endpoint, causing memory exhaustion due to missing request body size validation. CVSS 3.7 reflects low severity despite network accessibility; EPSS and active exploitation status not independently confirmed from available data.

Technical ContextAI

The vulnerability exists in the /lifecycle webhook endpoint within Mattermost Plugins, a critical component that processes lifecycle events for plugin management. The root cause is classified as CWE-770 (Allocation of Resources Without Limits or Throttling), indicating that the endpoint fails to enforce restrictions on the size of incoming request payloads. When an attacker sends a crafted JSON request body without size constraints, the server allocates memory to parse and buffer this data, exhausting available heap memory and triggering a denial of service condition. The affected product is identified by CPE cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:* for all Mattermost installations running vulnerable Plugins versions.

RemediationAI

Upgrade Mattermost Plugins to a version greater than 2.3.1 to obtain the patch. Exact patched version numbers are not specified in the advisory reference provided; consult https://mattermost.com/security-updates (Mattermost Advisory ID: MMSA-2026-00610) for specific release versions and upgrade procedures. As an interim workaround pending patching, implement network-level rate limiting and request size limits (e.g., via reverse proxy or WAF rules) on the /lifecycle endpoint to reject payloads exceeding a reasonable threshold for legitimate webhook traffic. Additionally, restrict access to the /lifecycle endpoint to trusted sources if operationally feasible.

CVE-2026-48801 HIGH POC
8.7 Jun 26

Denial of service in linkify-it (npm) through v5.0.0 lets remote unauthenticated attackers wedge a rendering worker by s

CVE-2022-4044 MEDIUM POC
6.5 Nov 23

A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large auto

CVE-2022-3257 MEDIUM POC
6.5 Sep 23

Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded w

CVE-2023-6458 CRITICAL
9.8 Dec 06

Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perf

CVE-2020-26276 CRITICAL
9.8 Dec 17

Fleet is an open source osquery manager. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2024-39777 CRITICAL
9.6 Aug 01

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invit

CVE-2020-26290 CRITICAL
9.6 Dec 28

Dex is a federated OpenID Connect provider written in Go. Rated critical severity (CVSS 9.6), this vulnerability is remo

CVE-2026-9354 MEDIUM POC
5.5 May 24

Improper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers t

CVE-2022-1002 MEDIUM POC
5.4 Mar 18

Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, wh

CVE-2023-2193 CRITICAL
9.1 Apr 20

Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker posse

CVE-2026-7387 HIGH
8.8 Jun 12

Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding gr

CVE-2026-3524 HIGH
8.8 Apr 06

Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal

Share

CVE-2026-21388 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy