CVE-2026-5740
published 2026-05-22CVE-2026-5740: Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to properly validate msgpack-encoded WebSocket frames before…
PriorityP345high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.33%
24.5th percentile
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to properly validate msgpack-encoded WebSocket frames before memory allocation which allows an unauthenticated remote attacker to crash the server process and cause a full service outage for all users via a crafted binary WebSocket message sent to the public WebSocket endpoint.. Mattermost Advisory ID: MMSA-2026-00647
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | mattermost_mattermost-server | >= 10.11.0 < 10.11.15 | 10.11.15 |
| github.com | mattermost_mattermost-server | >= 11.4.0 < 11.4.5 | 11.4.5 |
| github.com | mattermost_mattermost-server | >= 11.5.0 < 11.5.4 | 11.5.4 |
| github.com | mattermost_mattermost-server | >= 11.6.0 < 11.6.1 | 11.6.1 |
| github.com | mattermost_mattermost_server_v8 | >= 0 < 8.0.0-20260410202636-17939826efa2 | 8.0.0-20260410202636-17939826efa2 |
| mattermost | mattermost | 10.11.0 – 10.11.14 | — |
| mattermost | mattermost | 11.4.0 – 11.4.4 | — |
| mattermost | mattermost | 11.5.0 – 11.5.3 | — |
| mattermost | mattermost | 11.6.0 – 11.6.0 | — |
| mattermost | mattermost_server | >= 10.11.0 < 10.11.15 | 10.11.15 |
| mattermost | mattermost_server | >= 11.4.0 < 11.4.5 | 11.4.5 |
| mattermost | mattermost_server | >= 11.5.0 < 11.5.4 | 11.5.4 |
| mattermost | mattermost_server | >= 11.6.0 < 11.6.1 | 11.6.1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
cvelistv5v3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Mattermost doesn't properly validate msgpack-encoded WebSocket frames before memory allocation
ghsa·2026-05-26
CVE-2026-5740 [HIGH] CWE-789 Mattermost doesn't properly validate msgpack-encoded WebSocket frames before memory allocation
Mattermost doesn't properly validate msgpack-encoded WebSocket frames before memory allocation
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to properly validate msgpack-encoded WebSocket frames before memory allocation which allows an unauthenticated remote attacker to crash the server process and cause a full service outage for all users via a crafted binary WebSocket message sent to the public WebSocket endpoint.. Mattermost Advisory ID: MMSA-2026-00647
GHSA
GHSA-w9m8-p4cc-4qj9: Mattermost versions 11
ghsa_unreviewed·2026-05-26
CVE-2026-5740 [HIGH] CWE-789 GHSA-w9m8-p4cc-4qj9: Mattermost versions 11
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to properly validate msgpack-encoded WebSocket frames before memory allocation which allows an unauthenticated remote attacker to crash the server process and cause a full service outage for all users via a crafted binary WebSocket message sent to the public WebSocket endpoint.. Mattermost Advisory ID: MMSA-2026-00647
VulDB
Mattermost up to 10.11.14/11.4.4/11.5.3/11.6.0 msgpack-Encoded WebSocket Frame memory allocation
vuldb·2026-05-22
CVE-2026-5740 [LOW] Mattermost up to 10.11.14/11.4.4/11.5.3/11.6.0 msgpack-Encoded WebSocket Frame memory allocation
A vulnerability classified as problematic was found in Mattermost up to 10.11.14/11.4.4/11.5.3/11.6.0. This impacts an unknown function of the component msgpack-Encoded WebSocket Frame Handler. Executing a manipulation can lead to uncontrolled memory allocation.
This vulnerability is handled as CVE-2026-5740. The attack can be executed remotely. There is not any exploit available.
Upgrading the affected component is advised.
CVEList
Unauthenticated WebSocket binary frame causes denial of service in Mattermost Server
cvelistv5·2026-05-22·CVSS 7.5
CVE-2026-5740 [HIGH] CWE-789 Unauthenticated WebSocket binary frame causes denial of service in Mattermost Server
Unauthenticated WebSocket binary frame causes denial of service in Mattermost Server
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to properly validate msgpack-encoded WebSocket frames before memory allocation which allows an unauthenticated remote attacker to crash the server process and cause a full service outage for all users via a crafted binary WebSocket message sent to the public WebSocket endpoint.. Mattermost Advisory ID: MMSA-2026-00647
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-22
Published