{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21388", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2026-02-11T20:56:06.579Z", "datePublished": "2026-04-09T10:09:23.899Z", "dateUpdated": "2026-04-09T11:44:54.614Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "2.3.1", "status": "affected", "version": "0", "versionType": "semver"}, {"version": "2.3.2.0", "status": "unaffected"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Lorenzo Gallegos"}], "descriptions": [{"lang": "en", "value": "Mattermost Plugins versions <=2.3.1 fail to limit the request body size on the {{/lifecycle}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00610"}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseSeverity": "LOW", "baseScore": 3.7}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "cweId": "CWE-770"}]}], "references": [{"url": "https://mattermost.com/security-updates", "name": "MMSA-2026-00610", "tags": ["vendor-advisory"]}], "solutions": [{"value": "Update Mattermost Plugins to versions 2.3.2.0 or higher.", "lang": "en"}], "source": {"advisory": "MMSA-2026-00610", "defect": ["https://mattermost.atlassian.net/browse/MM-67558"], "discovery": "{\"self\"=>\"https://mattermost.atlassian.net/rest/api/2/customFieldOption/10557\", \"value\"=>\"Internal\", \"id\"=>\"10557\"}"}, "title": "Unbounded Request Body Read in MS Teams Plugin {{/lifecycle}} Webhook Endpoint", "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2026-04-09T10:09:23.899Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T11:44:48.420691Z", "id": "CVE-2026-21388", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T11:44:54.614Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21388", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T11:44:48.420691Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T11:44:50.805Z"}}], "cna": {"title": "Unbounded Request Body Read in MS Teams Plugin {{/lifecycle}} Webhook Endpoint", "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-67558"], "advisory": "MMSA-2026-00610", "discovery": "{\"self\"=>\"https://mattermost.atlassian.net/rest/api/2/customFieldOption/10557\", \"value\"=>\"Internal\", \"id\"=>\"10557\"}"}, "credits": [{"lang": "en", "type": "finder", "value": "Lorenzo Gallegos"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mattermost", "product": "Mattermost", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.3.1"}, {"status": "unaffected", "version": "2.3.2.0"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update Mattermost Plugins to versions 2.3.2.0 or higher."}], "references": [{"url": "https://mattermost.com/security-updates", "name": "MMSA-2026-00610", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "Mattermost Plugins versions <=2.3.1 fail to limit the request body size on the {{/lifecycle}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00610"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2026-04-09T10:09:23.899Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21388", "state": "PUBLISHED", "dateUpdated": "2026-04-09T11:44:54.614Z", "dateReserved": "2026-02-11T20:56:06.579Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2026-04-09T10:09:23.899Z", "assignerShortName": "Mattermost"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "DDC7071F-7D61-43EA-91DB-0C5F0D6388B9", "versionEndIncluding": "2.3.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost Plugins versions <=2.3.1 fail to limit the request body size on the {{/lifecycle}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00610"}], "id": "CVE-2026-21388", "lastModified": "2026-04-25T18:02:06.810", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-09T11:16:20.897", "references": [{"source": "responsibledisclosure@mattermost.com", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.3.1]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "2.3.2.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Mattermost", "source": "cna", "vendor": "Mattermost"}, "product": "mattermost", "vendor": "mattermost"}], "analysis": {"en": {"generated_at": "2026-04-09T11:20:58.641796+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch: update Mattermost plugins to version 2.3.2.0 or higher"], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The issue affects the Mattermost plugin system. Any installation of Mattermost plugins at version 2.3.1 or older is vulnerable, regardless of the overall Mattermost server version. The vulnerability requires the attacker to be authenticated to the platform.", "description_and_impact": "Mattermost plugin versions up to and including 2.3.1 permit an authenticated attacker to directly trigger a memory exhaustion condition by sending an oversized JSON payload to the {{/lifecycle}} webhook endpoint. This flaw leads to a denial of service, as the system allocates excessive memory and may become unresponsive or crash. The weakness is a classic unbounded request body read, corresponding to CWE\u2011770.", "risk_and_exploitability": "The CVSS score of 3.7 indicates moderate severity. No EPSS data and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting no documented widespread exploitation. However, exploitation requires the attacker to possess valid credentials and to craft a large JSON payload to the webhook; once achieved, the attack is straightforward and results in service disruption."}}}}, "created": "2026-04-10T08:53:46.227545+00:00", "updated": "2026-04-10T09:32:56.638791+00:00", "vendors": ["mattermost", "mattermost$PRODUCT$mattermost"]}