Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to enforce request body size limits on plugin HTTP endpoints which allows an attacker to cause a denial of service via crafted oversized HTTP requests.. Mattermost Advisory ID: MMSA-2026-00646
AnalysisAI
Denial of service in Mattermost's plugin HTTP endpoint layer allows an authenticated high-privilege attacker to exhaust server resources by sending crafted oversized HTTP request bodies. Affected across four concurrent release branches - 10.11.x through 11.6.x - with no published EPSS score and no confirmed active exploitation or public proof-of-concept at time of analysis. The CVSS score of 4.9 (Medium) accurately reflects the high-privilege prerequisite that meaningfully limits the realistic attacker population, though availability impact is rated High, meaning successful exploitation disrupts service availability entirely.
Technical ContextAI
Mattermost is a self-hosted team messaging and collaboration platform. Its plugin architecture exposes HTTP endpoints that third-party plugins can register and serve. CWE-400 (Uncontrolled Resource Consumption) is the root cause: the plugin HTTP handler layer does not impose an upper bound on incoming request body size. Without a body size limit, an HTTP server may buffer arbitrarily large payloads into memory or disk, causing resource exhaustion - memory pressure, thread starvation, or process crashes. This class of vulnerability is common in web frameworks that rely on application-layer developers to enforce limits rather than enforcing them in the middleware layer by default. The CPE string cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:* covers all editions of the Mattermost server application. The EUVD entry EUVD-2026-31425 corroborates the affected version ranges reported by Mattermost.
RemediationAI
The primary remediation is to upgrade to a patched release per the Mattermost security advisory at https://mattermost.com/security-updates. Note that the advisory page lists fixed versions per branch, but no specific fixed version numbers were included in the available intelligence data - exact target upgrade versions must be confirmed directly from the vendor advisory before patching. As a compensating control where immediate patching is not feasible, administrators can restrict plugin installation and limit the set of active plugins that expose HTTP endpoints, reducing the available attack surface. Additionally, placing the Mattermost server behind a reverse proxy (e.g., nginx or HAProxy) configured with explicit client_max_body_size or equivalent request body size limits provides an independent enforcement layer that can block oversized requests before they reach the application. This proxy-level mitigation does not require downtime but introduces a dependency on proxy configuration correctness and does not address the underlying code deficiency.
More in Mattermost
View allDenial of service in linkify-it (npm) through v5.0.0 lets remote unauthenticated attackers wedge a rendering worker by s
A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large auto
Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded w
Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perf
Fleet is an open source osquery manager. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invit
Dex is a federated OpenID Connect provider written in Go. Rated critical severity (CVSS 9.6), this vulnerability is remo
Improper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers t
Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, wh
Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker posse
Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding gr
Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31425
GHSA-jmvr-r5hm-fxfr