CVE-2026-5308
published 2026-05-22CVE-2026-5308: Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to enforce request body size limits on plugin HTTP endpoints…
PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.25%
16.6th percentile
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to enforce request body size limits on plugin HTTP endpoints which allows an attacker to cause a denial of service via crafted oversized HTTP requests.. Mattermost Advisory ID: MMSA-2026-00646
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | mattermost_mattermost-plugin-github | >= 0 < 1.0.1-0.20260410143745-9b41b1fd43c4 | 1.0.1-0.20260410143745-9b41b1fd43c4 |
| github.com | mattermost_mattermost-server | >= 10.11.0 < 10.11.15 | 10.11.15 |
| github.com | mattermost_mattermost-server | >= 11.4.0 < 11.4.5 | 11.4.5 |
| github.com | mattermost_mattermost-server | >= 11.5.0 < 11.5.4 | 11.5.4 |
| github.com | mattermost_mattermost-server | >= 11.6.0 < 11.6.1 | 11.6.1 |
| mattermost | mattermost | 10.11.0 – 10.11.14 | — |
| mattermost | mattermost | 11.4.0 – 11.4.4 | — |
| mattermost | mattermost | 11.5.0 – 11.5.3 | — |
| mattermost | mattermost | 11.6.0 – 11.6.0 | — |
| mattermost | mattermost_server | >= 10.11.0 < 10.11.15 | 10.11.15 |
| mattermost | mattermost_server | >= 11.4.0 < 11.4.5 | 11.4.5 |
| mattermost | mattermost_server | >= 11.5.0 < 11.5.4 | 11.5.4 |
| mattermost | mattermost_server | >= 11.6.0 < 11.6.1 | 11.6.1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
cvelistv5v3.14.9MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Mattermost doesn't enforce request body size limits on plugin HTTP endpoints
ghsa·2026-05-26
CVE-2026-5308 [HIGH] CWE-400 Mattermost doesn't enforce request body size limits on plugin HTTP endpoints
Mattermost doesn't enforce request body size limits on plugin HTTP endpoints
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to enforce request body size limits on plugin HTTP endpoints which allows an attacker to cause a denial of service via crafted oversized HTTP requests.. Mattermost Advisory ID: MMSA-2026-00646
GHSA
GHSA-jmvr-r5hm-fxfr: Mattermost versions 11
ghsa_unreviewed·2026-05-26
CVE-2026-5308 [HIGH] CWE-400 GHSA-jmvr-r5hm-fxfr: Mattermost versions 11
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to enforce request body size limits on plugin HTTP endpoints which allows an attacker to cause a denial of service via crafted oversized HTTP requests.. Mattermost Advisory ID: MMSA-2026-00646
CVEList
Missing request body size limits on Zoom plugin HTTP endpoints
cvelistv5·2026-05-22·CVSS 4.9
CVE-2026-5308 [MEDIUM] CWE-400 Missing request body size limits on Zoom plugin HTTP endpoints
Missing request body size limits on Zoom plugin HTTP endpoints
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to enforce request body size limits on plugin HTTP endpoints which allows an attacker to cause a denial of service via crafted oversized HTTP requests.. Mattermost Advisory ID: MMSA-2026-00646
VulDB
Mattermost up to 10.11.14/11.4.4/11.5.3/11.6.0 resource consumption
vuldb·2026-05-22
CVE-2026-5308 [LOW] Mattermost up to 10.11.14/11.4.4/11.5.3/11.6.0 resource consumption
A vulnerability was found in Mattermost up to 10.11.14/11.4.4/11.5.3/11.6.0. It has been rated as problematic. Impacted is an unknown function. The manipulation leads to resource consumption.
This vulnerability is listed as CVE-2026-5308. The attack may be initiated remotely. There is no available exploit.
Upgrading the affected component is advised.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-22
Published