CVE-2026-21388

LOW

Unbounded Request Body Read in MS Teams Plugin {{/lifecycle}} Webhook Endpoint

Title source: cna
STIX 2.1

Description

Mattermost Plugins versions <=2.3.1 fail to limit the request body size on the {{/lifecycle}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00610

References (1)

Core 1
Core References
Vendor Advisory vendor-advisory
MMSA-2026-00610
https://mattermost.com/security-updates

Scores

CVSS v3 3.7
EPSS 0.0031
EPSS Percentile 22.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-770
Status published
Products (5)
Mattermost/Mattermost < 2.3.1
mattermost/mattermost < 2.3.2.0
Mattermost/Mattermost 2.3.2.0
mattermost/mattermost-plugin-msteams 0 - 1.15.1-0.20260213190728-6fe4d295592eGo
mattermost/mattermost_server < 2.3.1
Published Apr 09, 2026
Tracked Since Apr 09, 2026