DOS via Zip Bomb Extraction, Mattermost <=11.4.0/11.3.1/10.11.11
CVE-2026-3114 Published on March 26, 2026
Zip Bomb Denial of Service via Unrestricted Archive Decompression
Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to validate decompressed archive entry sizes during file extraction which allows authenticated users with file upload permissions to cause a denial of service via crafted zip archives containing highly compressed entries (zip bombs) that exhaust server memory.. Mattermost Advisory ID: MMSA-2026-00598
Vulnerability Analysis
CVE-2026-3114 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Weakness Type
What is a Data Amplification Vulnerability?
The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. An example of data amplification is a "decompression bomb," a small ZIP file that can produce a large amount of data when it is decompressed.
CVE-2026-3114 has been classified to as a Data Amplification vulnerability or weakness.
Products Associated with CVE-2026-3114
Want to know whenever a new CVE is published for MatterMost? stack.watch will email you.
Affected Versions
Mattermost:- Version 11.4.0, <= 11.4.0 is affected.
- Version 11.3.0, <= 11.3.1 is affected.
- Version 11.2.0, <= 11.2.3 is affected.
- Version 10.11.0, <= 10.11.11 is affected.
- Version 11.5.0 is unaffected.
- Version 11.4.1 is unaffected.
- Version 11.3.2 is unaffected.
- Version 11.2.4 is unaffected.
- Version 10.11.12 is unaffected.