Skip to main content

Mattermost CVE-2026-24458

| EUVDEUVD-2026-12405 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-03-16 Mattermost GHSA-m5rv-56xx-hfc6
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 16, 2026 - 13:00 euvd
EUVD-2026-12405
Analysis Generated
Mar 16, 2026 - 13:00 vuln.today
CVE Published
Mar 16, 2026 - 12:02 nvd
HIGH 7.5

DescriptionCVE.org

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly handle very long passwords, which allows an attacker to overload the server CPU and memory via executing login attempts with multi-megabyte passwords. Mattermost Advisory ID: MMSA-2026-00587

AnalysisAI

Mattermost 10.11.x through 11.3.x fails to validate password length, allowing unauthenticated attackers to trigger denial of service by submitting multi-megabyte passwords during login attempts that consume excessive CPU and memory resources. The vulnerability affects all versions up to 10.11.10, 11.2.2, and 11.3.0, with no patch currently available.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft login request with multi-megabyte password
Delivery
Submit to Mattermost authentication endpoint
Exploit
Trigger inefficient password processing
Execution
Exhaust server CPU and memory
Impact
Cause denial of service

Vulnerability AssessmentAI

Exploitation Mattermost versions 11.3.0 or earlier, 11.2.2 or earlier, or 10.11.10 or earlier with publicly accessible login endpoint. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This vulnerability presents a moderate-to-high real-world risk based on multiple factors. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies an internet-facing Mattermost server and crafts malicious login requests containing passwords of several megabytes in size. By automating these requests from multiple sources or in rapid succession, the attacker forces the server to allocate significant CPU cycles and memory to process each oversized password through the authentication system, eventually exhausting server resources and causing legitimate users to experience service outages or degraded performance.
Remediation Organizations should immediately upgrade affected Mattermost installations to patched versions: upgrade from 11.3.0 to 11.3.1 or later, from 11.2.2 to 11.2.3 or later, or from 10.11.10 to 10.11.11 or later. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Mattermost instances and confirm version numbers; enable login attempt rate limiting and IP-based throttling. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-9354 MEDIUM POC
5.5 May 24

Improper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers t

CVE-2026-7387 HIGH
8.8 Jun 12

Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding gr

CVE-2026-3524 HIGH
8.8 Apr 06

Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal

CVE-2026-6346 HIGH
8.7 May 18

Mattermost versions up to 11.5.1 expose sensitive credentials in plaintext within support packets due to insufficient sa

CVE-2026-6957 HIGH
8.0 May 27

Arbitrary file write in Mattermost Plugins (versions ≤1.1.5) lets an administrator of a remote, federated Mattermost ser

CVE-2026-3108 HIGH
8.0 Mar 26

Mattermost's mmctl command-line administration tool fails to sanitize ANSI and OSC escape sequences embedded in user-gen

CVE-2026-4858 HIGH
8.0 May 21

Privilege escalation via path traversal in Mattermost collaboration platform allows authenticated users to invoke arbitr

CVE-2026-6517 HIGH
7.7 Jun 15

Credential leakage in Mattermost Desktop App versions up to 6.1 and 5.5.13.0 allows authenticated server users to harves

CVE-2026-6961 HIGH
7.6 Jun 12

Arbitrary file write in Mattermost via path traversal affects versions 11.6.x ≤ 11.6.1, 11.5.x ≤ 11.5.4, and 10.11.x ≤ 1

CVE-2026-6347 HIGH
7.6 May 18

Information disclosure in Mattermost Calls plugin versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 expos

CVE-2026-5740 HIGH
7.5 May 22

Denial of service in Mattermost server (versions 11.6.0, 11.5.0-11.5.3, 11.4.0-11.4.4, and 10.11.0-10.11.14) allows remo

CVE-2026-6739 HIGH
7.2 Jun 12

Privilege escalation in Mattermost collaboration platform allows authenticated users holding delegated user-management p

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-24458 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy