{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24661", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2026-02-11T20:56:06.566Z", "datePublished": "2026-04-09T10:12:45.340Z", "dateUpdated": "2026-04-09T11:44:35.023Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "2.1.3", "status": "affected", "version": "0", "versionType": "semver"}, {"version": "2.3.2.0", "status": "unaffected"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Lorenzo Gallegos"}], "descriptions": [{"lang": "en", "value": "Mattermost Plugins versions <=2.1.3.0 fail to limit the request body size on the {{/changes}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00611"}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseSeverity": "LOW", "baseScore": 3.7}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "cweId": "CWE-770"}]}], "references": [{"url": "https://mattermost.com/security-updates", "name": "MMSA-2026-00611", "tags": ["vendor-advisory"]}], "solutions": [{"value": "Update Mattermost Plugins to versions 2.3.2.0 or higher.", "lang": "en"}], "source": {"advisory": "MMSA-2026-00611", "defect": ["https://mattermost.atlassian.net/browse/MM-67561"], "discovery": "{\"self\"=>\"https://mattermost.atlassian.net/rest/api/2/customFieldOption/10557\", \"value\"=>\"Internal\", \"id\"=>\"10557\"}"}, "title": "Unbounded Request Body Read in MS Teams Plugin {{/changes}} Webhook Endpoint", "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2026-04-09T10:12:45.340Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T11:44:26.767059Z", "id": "CVE-2026-24661", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T11:44:35.023Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24661", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T11:44:26.767059Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T11:44:30.263Z"}}], "cna": {"title": "Unbounded Request Body Read in MS Teams Plugin {{/changes}} Webhook Endpoint", "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-67561"], "advisory": "MMSA-2026-00611", "discovery": "{\"self\"=>\"https://mattermost.atlassian.net/rest/api/2/customFieldOption/10557\", \"value\"=>\"Internal\", \"id\"=>\"10557\"}"}, "credits": [{"lang": "en", "type": "finder", "value": "Lorenzo Gallegos"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mattermost", "product": "Mattermost", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.1.3"}, {"status": "unaffected", "version": "2.3.2.0"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update Mattermost Plugins to versions 2.3.2.0 or higher."}], "references": [{"url": "https://mattermost.com/security-updates", "name": "MMSA-2026-00611", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "Mattermost Plugins versions <=2.1.3.0 fail to limit the request body size on the {{/changes}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00611"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2026-04-09T10:12:45.340Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24661", "state": "PUBLISHED", "dateUpdated": "2026-04-09T11:44:35.023Z", "dateReserved": "2026-02-11T20:56:06.566Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2026-04-09T10:12:45.340Z", "assignerShortName": "Mattermost"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*", "matchCriteriaId": "F6CD2E81-81BD-460E-9F3C-BF4C64449A87", "versionEndExcluding": "2.3.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost Plugins versions <=2.1.3.0 fail to limit the request body size on the {{/changes}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00611"}], "id": "CVE-2026-24661", "lastModified": "2026-04-17T20:31:03.873", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-09T11:16:21.047", "references": [{"source": "responsibledisclosure@mattermost.com", "tags": ["Vendor Advisory"], "url": "https://mattermost.com/security-updates"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.1.3]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "2.3.2.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Mattermost", "source": "cna", "vendor": "Mattermost"}, "product": "mattermost", "vendor": "mattermost"}], "analysis": {"en": {"generated_at": "2026-04-09T11:20:39.884373+00:00", "value": {"mitigation_remediation": ["Update Mattermost Plugins to version 2.3.2.0 or higher."], "summary": {"action": "Patch immediately", "impact": "Denial of Service via memory exhaustion"}, "threat_synthesis": {"affected_systems": "Mattermost plugins with versions 2.1.3.0 or earlier are vulnerable. The affected component is the MS Teams Plugin used within Mattermost, specifically the {{/changes}} webhook endpoint that accepts JSON payloads from authenticated users. An attacker must have legitimate authentication to the Mattermost instance to trigger the flaw; no anonymous exploitation path exists as described.", "description_and_impact": "The vulnerability is an unbounded request body read on the MS Teams Plugin {{/changes}} webhook endpoint, allowing an authenticated attacker to send an oversized JSON payload that consumes memory and causes the system to become unresponsive. The primary impact is a denial of service as the plugin processes large inputs and exhausts server memory, potentially affecting availability for all users of the application. This flaw maps to the unbounded resource setting weakness CWE-770.", "risk_and_exploitability": "The CVSS score of 3.7 classifies the flaw as low to moderate severity, and it is not listed in the CISA KEV catalog, indicating no known active exploitation. The EPSS score is not available, so the current exploit probability cannot be quantified. Based on the description, the attack vector is likely an authenticated request to the vulnerable webhook; the attacker must already have access to the system and can induce a denial of service through crafted payloads. Without further information on attack tooling or widespread vulnerability, the risk remains primarily an internal service interruption risk rather than a high\u2011impact breach."}}}}, "created": "2026-04-10T08:53:45.191933+00:00", "updated": "2026-04-10T09:32:55.657092+00:00", "vendors": ["mattermost", "mattermost$PRODUCT$mattermost"]}