CVE-2026-4646
published 2026-05-22CVE-2026-4646: Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate user-supplied input in API request handlers…
PriorityP425medium4.3CVSS 3.1
AVNACLPRLUINSUCNINAL
EPSS
0.25%
16.2th percentile
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate user-supplied input in API request handlers which allows an authenticated attacker to crash the plugin process via a crafted HTTP request to the PR details endpoint.. Mattermost Advisory ID: MMSA-2026-00638
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | mattermost_mattermost-plugin-github | >= 0 < 1.0.1-0.20260330164815-c2840e980b3c | 1.0.1-0.20260330164815-c2840e980b3c |
| github.com | mattermost_mattermost-server | >= 10.11.0 < 10.11.15 | 10.11.15 |
| github.com | mattermost_mattermost-server | >= 11.4.0 < 11.4.5 | 11.4.5 |
| github.com | mattermost_mattermost-server | >= 11.5.0 < 11.5.4 | 11.5.4 |
| github.com | mattermost_mattermost-server | >= 11.6.0 < 11.6.1 | 11.6.1 |
| mattermost | mattermost | 10.11.0 – 10.11.14 | — |
| mattermost | mattermost | 11.4.0 – 11.4.4 | — |
| mattermost | mattermost | 11.5.0 – 11.5.3 | — |
| mattermost | mattermost | 11.6.0 – 11.6.0 | — |
| mattermost | mattermost_server | >= 10.11.0 < 10.11.15 | 10.11.15 |
| mattermost | mattermost_server | >= 11.4.0 < 11.4.5 | 11.4.5 |
| mattermost | mattermost_server | >= 11.5.0 < 11.5.4 | 11.5.4 |
| mattermost | mattermost_server | >= 11.6.0 < 11.6.1 | 11.6.1 |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
cvelistv5v3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Mattermost doesn't validate user-supplied input in API request handlers
ghsa·2026-05-26
CVE-2026-4646 [MEDIUM] CWE-1287 Mattermost doesn't validate user-supplied input in API request handlers
Mattermost doesn't validate user-supplied input in API request handlers
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate user-supplied input in API request handlers which allows an authenticated attacker to crash the plugin process via a crafted HTTP request to the PR details endpoint. Mattermost Advisory ID: MMSA-2026-00638
GHSA
GHSA-rmvv-8v8w-rf7x: Mattermost versions 11
ghsa_unreviewed·2026-05-26
CVE-2026-4646 [MEDIUM] CWE-1287 GHSA-rmvv-8v8w-rf7x: Mattermost versions 11
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate user-supplied input in API request handlers which allows an authenticated attacker to crash the plugin process via a crafted HTTP request to the PR details endpoint.. Mattermost Advisory ID: MMSA-2026-00638
VulDB
Mattermost up to 10.11.14/11.4.4/11.5.3/11.6.0 PR Details Endpoint improper validation of specified type of input
vuldb·2026-05-22
CVE-2026-4646 [LOW] Mattermost up to 10.11.14/11.4.4/11.5.3/11.6.0 PR Details Endpoint improper validation of specified type of input
A vulnerability categorized as problematic has been discovered in Mattermost up to 10.11.14/11.4.4/11.5.3/11.6.0. The affected element is an unknown function of the component PR Details Endpoint. The manipulation results in improper validation of specified type of input.
This vulnerability is cataloged as CVE-2026-4646. The attack may be launched remotely. There is no exploit available.
It is advisable to upgrade the affected component.
CVEList
Insufficient input validation in GitHub plugin API causes denial of service
cvelistv5·2026-05-22·CVSS 4.3
CVE-2026-4646 [MEDIUM] CWE-1287 Insufficient input validation in GitHub plugin API causes denial of service
Insufficient input validation in GitHub plugin API causes denial of service
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate user-supplied input in API request handlers which allows an authenticated attacker to crash the plugin process via a crafted HTTP request to the PR details endpoint.. Mattermost Advisory ID: MMSA-2026-00638
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-22
Published