CVE-2026-2454Improper Validation of Specified Type of Input in Server

CWE-1287Improper Validation of Specified Type of Input3 documents3 sources
Severity
8.6HIGHNVD
CNA5.8
EPSS
0.1%
top 66.66%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mattermost ServerMattermost
Timeline
PublishedMar 16

Description

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to handle incorrectly reported array lengths which allows malicious user to cause OOM errors and crash the server via sending corrupted msgpack frames within websocket messages to calls plugin. Mattermost Advisory ID: MMSA-2025-00537

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:HExploitability: 3.9 | Impact: 4.0

Affected Packages2 packages

NVDmattermost/mattermost_server10.11.010.11.11+2
CVEListV5mattermost/mattermost11.3.011.3.0+2

🔴Vulnerability Details

2
GHSA
GHSA-3cx3-rw7f-7q37: Mattermost versions 112026-03-16
CVEList
DoS in Calls plugin via malformed msgpack in websocket request.2026-03-16
CVE-2026-2454 — Mattermost Server vulnerability | cvebase