Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to properly validate msgpack-encoded WebSocket frames before memory allocation which allows an unauthenticated remote attacker to crash the server process and cause a full service outage for all users via a crafted binary WebSocket message sent to the public WebSocket endpoint.. Mattermost Advisory ID: MMSA-2026-00647
AnalysisAI
Denial of service in Mattermost server (versions 11.6.0, 11.5.0-11.5.3, 11.4.0-11.4.4, and 10.11.0-10.11.14) allows remote attackers to crash the server process by sending a crafted msgpack-encoded binary WebSocket frame to the public endpoint. The flaw stems from missing validation of frame sizes before memory allocation, enabling a full service outage for all users. No public exploit identified at time of analysis, and the CVSS 7.5 score reflects the unauthenticated network-reachable nature of the attack with high availability impact.
Technical ContextAI
Mattermost is an open-source team collaboration platform whose real-time messaging layer uses WebSockets to deliver presence, channel, and message events to connected clients. This issue resides in the WebSocket frame handler that decodes binary payloads using msgpack (MessagePack), a compact binary serialization format. The root cause maps to CWE-789 (Memory Allocation with Excessive Size Value): the server reads size or length fields from an attacker-controlled msgpack-encoded frame and allocates memory based on those values without first bounding or sanity-checking them, leading to resource exhaustion or process termination. Because the WebSocket endpoint is exposed to anonymous clients during the connection handshake, no prior session or token is required to reach the vulnerable code path.
RemediationAI
Patch available per vendor advisory MMSA-2026-00647 - administrators should upgrade to a fixed release on their current branch (a release higher than 11.6.0, 11.5.3, 11.4.4, or 10.11.14 respectively) as published at https://mattermost.com/security-updates; exact fix versions should be confirmed against that advisory before deployment. If immediate patching is not possible, restrict reachability of the WebSocket endpoint by placing Mattermost behind a reverse proxy or WAF that terminates and inspects WebSocket traffic, source-IP-allowlist the endpoint to corporate networks or VPN ranges, and rate-limit new WebSocket connections - these controls reduce exposure but will break legitimate mobile/desktop client access from outside the allowlist and may not stop a low-volume attack from an authorized network. Monitor the server process for unexpected restarts and configure the service supervisor (systemd, Kubernetes liveness probe) for fast restart so outages are bounded while the patch is rolled out.
More in Mattermost
View allDenial of service in linkify-it (npm) through v5.0.0 lets remote unauthenticated attackers wedge a rendering worker by s
A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large auto
Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded w
Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perf
Fleet is an open source osquery manager. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invit
Dex is a federated OpenID Connect provider written in Go. Rated critical severity (CVSS 9.6), this vulnerability is remo
Improper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers t
Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, wh
Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker posse
Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding gr
Authorization bypass in Mattermost Plugin Legal Hold versions <=1.1.4 allows authenticated attackers to manipulate legal
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31426
GHSA-w9m8-p4cc-4qj9