PT-2026-25678 · Mattermost · Mattermost
Published
2026-02-13
·
Updated
2026-03-27
·
CVE-2026-2456
CVSS v2.0
6.8
Medium
| Vector | AV:N/AC:L/Au:S/C:N/I:N/A:C |
Name of the Vulnerable Software and Affected Versions
Mattermost versions 10.11.0 through 10.11.10
Mattermost versions 11.2.0 through 11.2.2
Mattermost versions 11.3.0 through 11.3.0
Description
Mattermost does not limit the size of responses from integration action endpoints. This allows an authenticated attacker to cause server memory exhaustion and a denial of service. The attack involves a malicious integration server returning an arbitrarily large response when a user clicks an interactive message button. The affected API endpoint is the integration action endpoint. The
response parameter from the integration server is the vulnerable component.Recommendations
Mattermost versions 10.11.0 through 10.11.10 should be updated.
Mattermost versions 11.2.0 through 11.2.2 should be updated.
Mattermost version 11.3.0 should be updated.
Fix
DoS
Resource Exhaustion
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Mattermost