Skip to main content

Mattermost CVE-2026-3116

| EUVDEUVD-2026-16246 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-03-26 Mattermost
4.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 26, 2026 - 16:45 euvd
EUVD-2026-16246
Analysis Generated
Mar 26, 2026 - 16:45 vuln.today
CVE Published
Mar 26, 2026 - 16:19 nvd
MEDIUM 4.9

DescriptionCVE.org

Mattermost Plugins versions <=11.4 11.0.4 11.1.3 11.3.2 10.11.11.0 fail to validate incoming request size which allows an authenticated attacker to cause service disruption via the webhook endpoint. Mattermost Advisory ID: MMSA-2026-00589

AnalysisAI

Mattermost Plugins versions 11.4 and earlier fail to validate incoming request sizes on webhook endpoints, allowing authenticated attackers to trigger denial of service by sending oversized requests. The vulnerability affects multiple Mattermost release branches (10.x, 11.0.x, 11.1.x, 11.3.x) and has been assigned CVSS 4.9 (medium severity) with no public exploit identified at time of analysis. While exploitability requires high-privilege authentication and manual intervention, the lack of request size enforcement on webhooks represents a fundamental input validation gap that could disrupt service availability in production environments.

Technical ContextAI

The vulnerability stems from CWE-400 (Uncontrolled Resource Consumption), specifically the failure to implement request size limits on Mattermost webhook endpoints. Webhooks are HTTP-based integration points that accept incoming POST requests from external systems; without size validation, an authenticated attacker can exhaust server resources by sending exceptionally large payloads. This affects the Mattermost platform (CPE: cpe:2.3:a:mattermost:mattermost) across multiple plugin and core versions. The root cause is missing or inadequate input validation middleware that should reject requests exceeding a configured threshold before they are processed by application logic, allowing resource exhaustion attacks that degrade performance or cause service unavailability.

RemediationAI

Upgrade Mattermost to a patched version released after the MMSA-2026-00589 advisory (exact patch version not specified in available data; consult https://mattermost.com/security-updates for the latest release). Until patching is possible, implement network-level request size limits by deploying a reverse proxy (nginx, Apache, or cloud load balancer) configured to reject HTTP requests exceeding a reasonable size threshold (e.g., 10-50 MB depending on expected webhook payload sizes). Additionally, restrict webhook endpoint access to known, trusted IP ranges or require mutual TLS authentication for external webhook sources. Audit current webhook integrations to identify which systems have access and consider disabling unused webhooks temporarily.

CVE-2026-48801 HIGH POC
8.7 Jun 26

Denial of service in linkify-it (npm) through v5.0.0 lets remote unauthenticated attackers wedge a rendering worker by s

CVE-2022-4044 MEDIUM POC
6.5 Nov 23

A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large auto

CVE-2022-3257 MEDIUM POC
6.5 Sep 23

Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded w

CVE-2023-6458 CRITICAL
9.8 Dec 06

Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perf

CVE-2020-26276 CRITICAL
9.8 Dec 17

Fleet is an open source osquery manager. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2024-39777 CRITICAL
9.6 Aug 01

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invit

CVE-2020-26290 CRITICAL
9.6 Dec 28

Dex is a federated OpenID Connect provider written in Go. Rated critical severity (CVSS 9.6), this vulnerability is remo

CVE-2026-9354 MEDIUM POC
5.5 May 24

Improper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers t

CVE-2022-1002 MEDIUM POC
5.4 Mar 18

Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, wh

CVE-2023-2193 CRITICAL
9.1 Apr 20

Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker posse

CVE-2026-7387 HIGH
8.8 Jun 12

Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding gr

CVE-2026-3524 HIGH
8.8 Apr 06

Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal

Share

CVE-2026-3116 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy