CVE-2026-4646

Summary

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate user-supplied input in API request handlers which allows an authenticated attacker to crash the plugin process via a crafted HTTP request to the PR details endpoint.. Mattermost Advisory ID: MMSA-2026-00638

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost11.6.0 <= 11.6.0affected
MattermostMattermost11.5.0 <= 11.5.3affected
MattermostMattermost11.4.0 <= 11.4.4affected
MattermostMattermost10.11.0 <= 10.11.14affected
MattermostMattermost11.7.0unaffected
MattermostMattermost11.6.1unaffected
MattermostMattermost11.5.4unaffected
MattermostMattermost11.4.5unaffected
MattermostMattermost10.11.15unaffected

Weaknesses

  • CWE-1287: CWE-1287: Improper Validation of Specified Type of Input

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References