CVE-2026-4646

MEDIUM

Insufficient input validation in GitHub plugin API causes denial of service

Title source: cna

Description

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate user-supplied input in API request handlers which allows an authenticated attacker to crash the plugin process via a crafted HTTP request to the PR details endpoint.. Mattermost Advisory ID: MMSA-2026-00638

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

MMSA-2026-00638

https://mattermost.com/security-updates

Scores

CVSS v3 4.3

EPSS 0.0007

EPSS Percentile 22.2%

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-1287

Status published

Products (9)

Mattermost/Mattermost 10.11.0 - 10.11.14

Mattermost/Mattermost 10.11.15

Mattermost/Mattermost 11.4.0 - 11.4.4

Mattermost/Mattermost 11.4.5

Mattermost/Mattermost 11.5.0 - 11.5.3

Mattermost/Mattermost 11.5.4

Mattermost/Mattermost 11.6.0

Mattermost/Mattermost 11.6.1

Mattermost/Mattermost 11.7.0

Published May 22, 2026

Tracked Since May 22, 2026