What is the CVSS score of CVE-2026-5740?

CVE-2026-5740 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.1%.

Which versions of Mattermost are affected by CVE-2026-5740?

Mattermost server versions 10.11.0-10.11.14, 11.4.0-11.4.4, 11.5.0-11.5.3, and 11.6.0 are vulnerable to unauthenticated denial-of-service attacks that can crash the entire service, causing a complete…

Mattermost CVE-2026-5740

Q: How to fix or mitigate CVE-2026-5740?

Within 24 hours: inventory all Mattermost deployments and confirm current versions; implement temporary network-level restrictions on WebSocket access from untrusted networks. Within 7 days: test upgrade paths in staging environment and develop deployment plan for patched version once vendor releases it; enable incident response monitoring for service crashes. Within 30 days: deploy patched version to all production instances once available from vendor, or maintain permanent network compensating controls if vendor timeline extends beyond 30 days.

EUVD-2026-31426 HIGH

Memory Allocation with Excessive Size Value (CWE-789)

2026-05-22 Mattermost

GHSA-w9m8-p4cc-4qj9

Denial Of Service Mattermost

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

May 22, 2026 - 11:30 vuln.today

DescriptionNVD

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to properly validate msgpack-encoded WebSocket frames before memory allocation which allows an unauthenticated remote attacker to crash the server process and cause a full service outage for all users via a crafted binary WebSocket message sent to the public WebSocket endpoint.. Mattermost Advisory ID: MMSA-2026-00647

AnalysisAI

Denial of service in Mattermost server (versions 11.6.0, 11.5.0-11.5.3, 11.4.0-11.4.4, and 10.11.0-10.11.14) allows remote attackers to crash the server process by sending a crafted msgpack-encoded binary WebSocket frame to the public endpoint. The flaw stems from missing validation of frame sizes before memory allocation, enabling a full service outage for all users. …

RemediationAI

Within 24 hours: inventory all Mattermost deployments and confirm current versions; implement temporary network-level restrictions on WebSocket access from untrusted networks. Within 7 days: test upgrade paths in staging environment and develop deployment plan for patched version once vendor releases it; enable incident response monitoring for service crashes. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-5740 vulnerability details – vuln.today

Back

Mattermost CVE-2026-5740

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code