Skip to main content

Mattermost EUVDEUVD-2026-30590

| CVE-2026-4054 MEDIUM
Improper Check for Unusual or Exceptional Conditions (CWE-754)
2026-05-15 Mattermost GHSA-j76w-p754-g2w7
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 15, 2026 - 19:38 vuln.today

DescriptionCVE.org

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to validate the response body of proxied images, which allows a remote attacker to enact client-side DoS via an SVG file served from an attacker-controlled origin under a non-SVG Content-Type header (e.g. image/png) embedded in an og:image meta tag or Markdown image link.. Mattermost Advisory ID: MMSA-2026-00630

AnalysisAI

Client-side denial-of-service in Mattermost allows remote attackers to crash user browsers via maliciously crafted SVG files embedded in OpenGraph metadata or Markdown images. The vulnerability affects Mattermost Server versions 11.5.0-11.5.1, 10.11.0-10.11.13, and 11.4.0-11.4.3, where the server fails to validate proxied image response bodies. Attackers exploit this by serving SVG files with misleading Content-Type headers (e.g., image/png) that bypass validation, causing resource exhaustion when rendered in victim browsers. CVSS rates this 4.3 (Medium) with network attack vector requiring user interaction, while EPSS data is not available. No evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis.

Technical ContextAI

Mattermost's image proxy feature retrieves and serves externally linked images to prevent direct client connections to untrusted origins. The affected versions (CPE: cpe:2.3:a:mattermost:mattermost) fail to validate response bodies from proxied image requests, trusting only the HTTP Content-Type header. This vulnerability exploits CWE-754 (Improper Check for Unusual or Exceptional Conditions) by allowing SVG files to bypass validation when served with non-SVG MIME types. SVG files can contain embedded scripts, animations, or recursive elements that consume excessive browser resources. When embedded via OpenGraph og:image tags (rendered in link previews) or Markdown image syntax, the malicious SVG renders in victim browsers despite appearing as a benign image type. The CVSS vector (AV:N/AC:L/PR:N/UI:R) indicates low attack complexity from a network position with no authentication required, but user interaction is necessary to trigger rendering.

RemediationAI

Upgrade to patched Mattermost Server versions released after the affected branches (specific patched versions: 11.5.2 or later for 11.5.x branch, 10.11.14 or later for 10.11.x branch, 11.4.4 or later for 11.4.x branch-verify exact fix versions at https://mattermost.com/security-updates). As a temporary mitigation, administrators can disable the image proxy feature entirely, though this forces client browsers to connect directly to external image sources, reducing privacy and potentially exposing internal IP addresses. Alternatively, implement Content Security Policy (CSP) headers that restrict SVG rendering by setting 'img-src' directives to exclude 'data:' URIs and validate image types, though this may break legitimate SVG usage in channels. Network-level controls blocking SVG MIME types at the proxy or load balancer can reduce risk but may cause false positives. Monitor Mattermost logs for unusual image proxy requests with Content-Type mismatches. Review channel posting permissions to limit untrusted users' ability to embed external images.

CVE-2026-48801 HIGH POC
8.7 Jun 26

Denial of service in linkify-it (npm) through v5.0.0 lets remote unauthenticated attackers wedge a rendering worker by s

CVE-2022-4044 MEDIUM POC
6.5 Nov 23

A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large auto

CVE-2022-3257 MEDIUM POC
6.5 Sep 23

Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded w

CVE-2023-6458 CRITICAL
9.8 Dec 06

Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perf

CVE-2020-26276 CRITICAL
9.8 Dec 17

Fleet is an open source osquery manager. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2024-39777 CRITICAL
9.6 Aug 01

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invit

CVE-2020-26290 CRITICAL
9.6 Dec 28

Dex is a federated OpenID Connect provider written in Go. Rated critical severity (CVSS 9.6), this vulnerability is remo

CVE-2026-9354 MEDIUM POC
5.5 May 24

Improper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers t

CVE-2022-1002 MEDIUM POC
5.4 Mar 18

Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, wh

CVE-2023-2193 CRITICAL
9.1 Apr 20

Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker posse

CVE-2026-7387 HIGH
8.8 Jun 12

Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding gr

CVE-2026-3524 HIGH
8.8 Apr 06

Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal

Share

EUVD-2026-30590 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy