CVE-2026-26233

Published: Mar 25, 2026Modified: Mar 26, 2026

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to rate limit login requests which allows unauthenticated remote attackers to cause denial of service (server crash and restart) via HTTP/2 single packet attack with 100+ parallel login requests.. Mattermost Advisory ID: MMSA-2025-00566

Affected (4)

Products: Mattermost: Mattermost Server

Mattermost

1 product

Mattermost Server

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Mattermost Mattermost Server	From 10.11.0 to 10.11.12
Mattermost Mattermost Server	From 11.2.0 to 11.2.4
Mattermost Mattermost Server	From 11.3.0 to 11.3.2
Mattermost Mattermost Server	From 11.4.0 to 11.4.1

Related CWEs

CWE-400

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References (1)

https://mattermost.com/security-updates

Source: responsibledisclosure@mattermost.com

Vendor Advisory

Timeline

No history available yet.