Skip to main content

Mattermost CVE-2026-5308

| EUVDEUVD-2026-31425 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-05-22 Mattermost GHSA-jmvr-r5hm-fxfr
4.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 22, 2026 - 11:31 vuln.today

DescriptionCVE.org

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to enforce request body size limits on plugin HTTP endpoints which allows an attacker to cause a denial of service via crafted oversized HTTP requests.. Mattermost Advisory ID: MMSA-2026-00646

AnalysisAI

Denial of service in Mattermost's plugin HTTP endpoint layer allows an authenticated high-privilege attacker to exhaust server resources by sending crafted oversized HTTP request bodies. Affected across four concurrent release branches - 10.11.x through 11.6.x - with no published EPSS score and no confirmed active exploitation or public proof-of-concept at time of analysis. The CVSS score of 4.9 (Medium) accurately reflects the high-privilege prerequisite that meaningfully limits the realistic attacker population, though availability impact is rated High, meaning successful exploitation disrupts service availability entirely.

Technical ContextAI

Mattermost is a self-hosted team messaging and collaboration platform. Its plugin architecture exposes HTTP endpoints that third-party plugins can register and serve. CWE-400 (Uncontrolled Resource Consumption) is the root cause: the plugin HTTP handler layer does not impose an upper bound on incoming request body size. Without a body size limit, an HTTP server may buffer arbitrarily large payloads into memory or disk, causing resource exhaustion - memory pressure, thread starvation, or process crashes. This class of vulnerability is common in web frameworks that rely on application-layer developers to enforce limits rather than enforcing them in the middleware layer by default. The CPE string cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:* covers all editions of the Mattermost server application. The EUVD entry EUVD-2026-31425 corroborates the affected version ranges reported by Mattermost.

RemediationAI

The primary remediation is to upgrade to a patched release per the Mattermost security advisory at https://mattermost.com/security-updates. Note that the advisory page lists fixed versions per branch, but no specific fixed version numbers were included in the available intelligence data - exact target upgrade versions must be confirmed directly from the vendor advisory before patching. As a compensating control where immediate patching is not feasible, administrators can restrict plugin installation and limit the set of active plugins that expose HTTP endpoints, reducing the available attack surface. Additionally, placing the Mattermost server behind a reverse proxy (e.g., nginx or HAProxy) configured with explicit client_max_body_size or equivalent request body size limits provides an independent enforcement layer that can block oversized requests before they reach the application. This proxy-level mitigation does not require downtime but introduces a dependency on proxy configuration correctness and does not address the underlying code deficiency.

CVE-2026-48801 HIGH POC
8.7 Jun 26

Denial of service in linkify-it (npm) through v5.0.0 lets remote unauthenticated attackers wedge a rendering worker by s

CVE-2022-4044 MEDIUM POC
6.5 Nov 23

A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large auto

CVE-2022-3257 MEDIUM POC
6.5 Sep 23

Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded w

CVE-2023-6458 CRITICAL
9.8 Dec 06

Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perf

CVE-2020-26276 CRITICAL
9.8 Dec 17

Fleet is an open source osquery manager. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2024-39777 CRITICAL
9.6 Aug 01

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invit

CVE-2020-26290 CRITICAL
9.6 Dec 28

Dex is a federated OpenID Connect provider written in Go. Rated critical severity (CVSS 9.6), this vulnerability is remo

CVE-2026-9354 MEDIUM POC
5.5 May 24

Improper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers t

CVE-2022-1002 MEDIUM POC
5.4 Mar 18

Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, wh

CVE-2023-2193 CRITICAL
9.1 Apr 20

Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker posse

CVE-2026-7387 HIGH
8.8 Jun 12

Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding gr

CVE-2026-3524 HIGH
8.8 Apr 06

Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal

Share

CVE-2026-5308 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy