CVE-2026-2454

MEDIUM

DoS in Calls plugin via malformed msgpack in websocket request.

Title source: cna

Description

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to handle incorrectly reported array lengths which allows malicious user to cause OOM errors and crash the server via sending corrupted msgpack frames within websocket messages to calls plugin. Mattermost Advisory ID: MMSA-2025-00537

References (1)

[Vendor Advisory] https://mattermost.com/security-updates

Scores

CVSS v3 5.8

EPSS 0.0014

EPSS Percentile 33.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

Details

CWE

CWE-1287

Status published

Products (8)

Mattermost/Mattermost 10.11.0 - 10.11.10

Mattermost/Mattermost 10.11.11

Mattermost/Mattermost 11.2.0 - 11.2.2

Mattermost/Mattermost 11.2.3

Mattermost/Mattermost 11.3.0

Mattermost/Mattermost 11.3.1

Mattermost/Mattermost 11.4.0

mattermost/mattermost_server 10.11.0 - 10.11.11

Published Mar 16, 2026

Tracked Since Mar 17, 2026