PT-2026-42750 · Mattermost · Mattermost

Zephrfish

·

Published

2026-05-22

·

Updated

2026-07-07

·

CVE-2026-5740

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions Mattermost version 11.6.0 Mattermost version 11.5.3 Mattermost version 11.4.4 Mattermost version 10.11.14
Description An issue exists where msgpack-encoded WebSocket frames are not properly validated before memory allocation. This allows an unauthenticated remote attacker to crash the server process and cause a full service outage for all users by sending a crafted binary WebSocket message to the public WebSocket endpoint.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

DoS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-07533
CVE-2026-5740
GHSA-W9M8-P4CC-4QJ9
GO-2026-5838

Affected Products

Mattermost