CVE-2026-26233Uncontrolled Resource Consumption in Mattermost Mattermost-server

CWE-400Uncontrolled Resource Consumption6 documents5 sources
Severity
6.5MEDIUMNVD
CNA4.3
EPSS
0.1%
top 74.27%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Github.com Mattermost Mattermost-serverMattermost ServerMattermost
Timeline
PublishedMar 25
Latest updateApr 2

Description

Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to rate limit login requests which allows unauthenticated remote attackers to cause denial of service (server crash and restart) via HTTP/2 single packet attack with 100+ parallel login requests.. Mattermost Advisory ID: MMSA-2025-00566

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

NVDmattermost/mattermost_server10.11.010.11.12+3
Gogithub.com/mattermost_mattermost-server11.4.0-rc111.4.1+7
CVEListV5mattermost/mattermost11.4.011.4.0+3

🔴Vulnerability Details

4
OSV
Mattermost doesn't rate limit login requests, allowing DoS in github.com/mattermost/mattermost-server2026-04-02
GHSA
Mattermost doesn't rate limit login requests, allowing DoS2026-03-25
CVEList
Denial of Service via HTTP/2 single packet attack on login endpoint2026-03-25
OSV
Mattermost doesn't rate limit login requests, allowing DoS2026-03-25

🕵️Threat Intelligence

1
Wiz
CVE-2026-26233 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-26233 — Uncontrolled Resource Consumption | cvebase