CVE-2026-4915

Summary

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to filter nil elements from outgoing webhook attachment payloads before processing, which allows an authenticated user to cause a denial of service (server process termination) via a crafted webhook callback response containing a null attachment entry.. Mattermost Advisory ID: MMSA-2026-00641

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost11.6.0 <= 11.6.0affected
MattermostMattermost11.5.0 <= 11.5.3affected
MattermostMattermost11.4.0 <= 11.4.4affected
MattermostMattermost10.11.0 <= 10.11.14affected
MattermostMattermost11.7.0unaffected
MattermostMattermost11.6.1unaffected
MattermostMattermost11.5.4unaffected
MattermostMattermost11.4.5unaffected
MattermostMattermost10.11.15unaffected

Weaknesses

  • CWE-754: CWE-754: Improper Check for Unusual or Exceptional Conditions

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References