CVE-2026-2454

Medium

Published: 16 March 2026

Published

16 March 2026

Modified

18 March 2026

KEV Added

—

Patch

—

CVSS Score 5.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

EPSS Score 0.0015 34.8th percentile

Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Description

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to handle incorrectly reported array lengths which allows malicious user to cause OOM errors and crash the server via sending corrupted msgpack frames within websocket messages to calls…

plugin. Mattermost Advisory ID: MMSA-2025-00537

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of WebSocket msgpack frames to reject malformed array lengths that trigger OOM errors in the Mattermost calls plugin.

SC-5 Denial-of-service Protection good match

preventdetect

Provides denial-of-service protection against unauthenticated remote OOM-induced server crashes via corrupted WebSocket messages.

SI-11 Error Handling partial match

prevent

Ensures error handling for invalid msgpack inputs does not result in exploitable crashes or OOM conditions.

Security SummaryAI

CVE-2026-2454 is a vulnerability in Mattermost versions 11.3.x up to and including 11.3.0, 11.2.x up to 11.2.2, and 10.11.x up to 10.11.10, stemming from a failure to properly handle incorrectly reported array lengths in msgpack frames. This issue affects the calls plugin when processing WebSocket messages, allowing malformed inputs to trigger out-of-memory (OOM) errors and crash the server. The vulnerability is cataloged under CWE-1287 and carries a CVSS v3.1 base score of 5.8 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L).

An unauthenticated attacker (PR:N) with network access can exploit this by sending corrupted msgpack frames via WebSocket messages targeted at the calls plugin. The attack requires low complexity and no user interaction, enabling remote denial-of-service through OOM-induced server crashes, though it has no impact on confidentiality or integrity.

Mattermost Advisory MMSA-2025-00537 provides details on mitigation; security practitioners should consult https://mattermost.com/security-updates for patching instructions and remediation steps applicable to the affected versions.

Details

CWE(s): CWE-1287

Affected Products

mattermost

mattermost server

10.11.0 — 10.11.11 · 11.2.0 — 11.2.3 · 11.3.0 — 11.3.1

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated remote attackers to trigger out-of-memory errors and server crashes via malformed WebSocket messages to the calls plugin, directly enabling application exploitation for endpoint denial-of-service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://mattermost.com/security-updates
Vendor Advisory · responsibledisclosure@mattermost.com