CVE-2026-5308

Summary

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to enforce request body size limits on plugin HTTP endpoints which allows an attacker to cause a denial of service via crafted oversized HTTP requests.. Mattermost Advisory ID: MMSA-2026-00646

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost11.6.0 <= 11.6.0affected
MattermostMattermost11.5.0 <= 11.5.3affected
MattermostMattermost11.4.0 <= 11.4.4affected
MattermostMattermost10.11.0 <= 10.11.14affected
MattermostMattermost11.7.0unaffected
MattermostMattermost11.6.1unaffected
MattermostMattermost11.5.4unaffected
MattermostMattermost11.4.5unaffected
MattermostMattermost10.11.15unaffected

Weaknesses

  • CWE-400: CWE-400 Uncontrolled Resource Consumption

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References