SecuriTricks - CVE-2026-4915

Description

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to filter nil elements from outgoing webhook attachment payloads before processing, which allows an authenticated user to cause a denial of service (server process termination) via a crafted webhook callback response containing a null attachment entry.. Mattermost Advisory ID: MMSA-2026-00641

Product(s) Impacted

Vendor	Product	Versions
Mattermost	Mattermost	11.6.0, 11.5.3, 11.4.4, 10.11.14

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-754

Improper Check for Unusual or Exceptional Conditions

The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	mattermost	mattermost	11.6.0	/	/	/	/	/	/	/
a	mattermost	mattermost	11.5.3	/	/	/	/	/	/	/
a	mattermost	mattermost	11.4.4	/	/	/	/	/	/	/
a	mattermost	mattermost	10.11.14	/	/	/	/	/	/	/

References

https://mattermost.com/security-updates

CVSS Score

6.5 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: LOW
Scope: UNCHANGED
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

View Vector String

Timeline

Published: May 25, 2026, 8:16 a.m.
Last Modified: May 26, 2026, 7:06 p.m.

Status : Undergoing Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

CVE-2026-4915