Primary

Context

Mattermost Input Validation Vulnerability in Hashtag Processing Allowing CPU Exhaustion

Vulnerability

Patched

A denial-of-service vulnerability has been identified in Mattermost versions 10.11.x prior to 10.11.9. The issue arises from the application's failure to properly validate input size before processing hashtags. This oversight enables an authenticated attacker to exhaust CPU resources by sending a single HTTP request that includes a post with thousands of space-separated tokens.

Impact

Exploitation of this vulnerability leads to excessive CPU resource consumption, causing a denial-of-service condition on the affected server.

Remediation

Users can upgrade to Mattermost version 11.3.010.11.10 to address this vulnerability.

Added: Jan 16, 2026, 9:20 AM

Updated: Jan 16, 2026, 4:14 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

5.2

remediation

7.7

relevance

2.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

5.2

remediation

7.7

relevance

2.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost Input Validation Vulnerability in Hashtag Processing Allowing CPU Exhaustion

Vulnerability

Impact

Remediation

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating