Is Mattermost affected by CVE-2026-24458?

Mattermost instances running versions 11.3.0 or earlier are vulnerable to denial-of-service attacks where attackers can crash or severely degrade service availability by submitting oversized login requests.

CVE-2026-24458

Q: How to fix CVE-2026-24458?

Within 24 hours: Inventory all Mattermost instances and confirm version numbers; enable login attempt rate limiting and IP-based throttling. Within 7 days: Deploy WAF rules to reject HTTP POST requests to login endpoints exceeding 1MB; consider implementing reverse-proxy request size limits. Within 30 days: Plan immediate upgrade to patched versions when released; evaluate alternative communication platforms if upgrade timeline extends beyond 60 days.

EUVD-2026-12405 HIGH

2026-03-16 Mattermost

GHSA-m5rv-56xx-hfc6

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 16, 2026 - 13:00 euvd

EUVD-2026-12405

Analysis Generated

Mar 16, 2026 - 13:00 vuln.today

CVE Published

Mar 16, 2026 - 12:02 nvd

HIGH 7.5

Description

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly handle very long passwords, which allows an attacker to overload the server CPU and memory via executing login attempts with multi-megabyte passwords. Mattermost Advisory ID: MMSA-2026-00587

Analysis

Mattermost 10.11.x through 11.3.x fails to validate password length, allowing unauthenticated attackers to trigger denial of service by submitting multi-megabyte passwords during login attempts that consume excessive CPU and memory resources. The vulnerability affects all versions up to 10.11.10, 11.2.2, and 11.3.0, with no patch currently available.

Remediation

Within 24 hours: Inventory all Mattermost instances and confirm version numbers; enable login attempt rate limiting and IP-based throttling. Within 7 days: Deploy WAF rules to reject HTTP POST requests to login endpoints exceeding 1MB; consider implementing reverse-proxy request size limits. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +38

POC: 0

Vendor Status

CVE-2026-24458 vulnerability details – vuln.today

Back

CVE-2026-24458

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Vendor Status

Share

CVE-2026-24458

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Vendor Status

Share

External POC / Exploit Code