Skip to main content

Suse EUVDEUVD-2026-15756

| CVE-2026-26233 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-03-25 Mattermost GHSA-247x-7qw8-fp98
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15756
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:24 nvd
MEDIUM 4.3

DescriptionCVE.org

Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to rate limit login requests which allows unauthenticated remote attackers to cause denial of service (server crash and restart) via HTTP/2 single packet attack with 100+ parallel login requests.. Mattermost Advisory ID: MMSA-2025-00566

AnalysisAI

Mattermost versions 11.4.0, 11.3.x through 11.3.1, 11.2.x through 11.2.3, and 10.11.x through 10.11.11 lack proper rate limiting on login endpoints, allowing unauthenticated attackers to trigger denial of service through HTTP/2 single packet attacks delivering 100+ parallel login requests. This causes server crashes and forced restarts. While the CVSS score of 4.3 is moderate and requires low attack complexity over the network, the vulnerability enables complete service disruption without authentication.

Technical ContextAI

The vulnerability exists in Mattermost's authentication mechanism and HTTP request handling layer, specifically the login endpoint processing logic. Mattermost is a self-hosted team collaboration platform (cpe:2.3:a:mattermost:mattermost) that handles authentication requests across multiple protocol versions. The root cause is classified under CWE-400 (Uncontrolled Resource Consumption), indicating insufficient rate limiting controls on a critical authentication pathway. HTTP/2 protocol features enable multiplexing multiple requests within a single TCP connection and packet, which attackers exploit to bypass traditional per-connection rate limits by sending dozens of parallel login attempts that consume server resources (CPU, memory, connection pools) faster than the application can process them, eventually exhausting available resources and crashing the service.

RemediationAI

Immediately upgrade affected Mattermost instances to patched versions: upgrade 11.4.x to 11.4.1 or later, 11.3.x to 11.3.2 or later, 11.2.x to 11.2.4 or later, and 10.11.x to 10.11.12 or later (consult https://mattermost.com/security-updates for exact patch versions). For instances where immediate patching is not feasible, implement compensating controls: deploy a reverse proxy or load balancer (nginx, HAProxy) with aggressive rate limiting on the /api/v4/users/login endpoint (recommend 5-10 requests per second per IP address), enable HTTP/2 connection multiplexing limits to restrict concurrent streams per connection, implement IP-based rate limiting at the network perimeter, and monitor authentication endpoint metrics for anomalous spike patterns that trigger automated alerts or temporary IP blocking.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

EUVD-2026-15756 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy