CVE-2026-2455

Name of the Vulnerable Software and Affected Versions Mattermost versions 10.11.x through 10.11.10 Mattermost versions 11.2.x through 11.2.2 Mattermost versions 11.3.x through 11.3.0

Description The software does not properly normalize IPv4-mapped IPv6 addresses before validating reserved IP addresses. This allows an attacker to perform Server-Side Request Forgery (SSRF) attacks against internal services using IPv4-mapped IPv6 literals, such as [::ffff:127.0.0.1]. SSRF is a web security flaw that allows an attacker to cause the server to make HTTP requests to an arbitrary domain of the attacker's choosing.

Recommendations Update Mattermost to a version beyond 10.11.10. Update Mattermost to a version beyond 11.2.2. Update Mattermost to a version beyond 11.3.0.