Mattermost <=11.3.0, 11.2.2, 10.11.10 OOM via corrupted msgpack WS frames
CVE-2026-2454 Published on March 16, 2026
DoS in Calls plugin via malformed msgpack in websocket request.
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to handle incorrectly reported array lengths which allows malicious user to cause OOM errors and crash the server via sending corrupted msgpack frames within websocket messages to calls plugin. Mattermost Advisory ID: MMSA-2025-00537
Vulnerability Analysis
CVE-2026-2454 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a small impact on availability.
Weakness Type
Improper Validation of Specified Type of Input
The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.
Products Associated with CVE-2026-2454
Want to know whenever a new CVE is published for MatterMost? stack.watch will email you.
Affected Versions
Mattermost:- Version 11.3.0, <= 11.3.0 is affected.
- Version 11.2.0, <= 11.2.2 is affected.
- Version 10.11.0, <= 10.11.10 is affected.
- Version 11.4.0 is unaffected.
- Version 11.3.1 is unaffected.
- Version 11.2.3 is unaffected.
- Version 10.11.11 is unaffected.