Primary

Context

Mattermost Channel Notification Timing Vulnerability Leading to Denial-of-Service

Vulnerability

Patched

A denial-of-service vulnerability has been identified in Mattermost versions 11.6.0, 11.5.3, 11.4.4, and 10.11.14. The issue arises because the application fails to archive channels before removing persistent notifications. This flaw allows an authenticated user to crash the server by carefully timing the sending of a persistent notification message to coincide with the server's deletion of existing notifications and the archiving of the channel.

Impact

Exploitation of this vulnerability can lead to a server crash, causing a denial-of-service condition where the server becomes unresponsive or unavailable.

Remediation

Users can upgrade to Mattermost versions 11.8.0 or 11.7.18 to address this vulnerability.

Added: May 26, 2026, 4:23 PM

Updated: May 26, 2026, 4:23 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

4.8

remediation

8.3

relevance

9.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

4.8

remediation

8.3

relevance

9.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost Channel Notification Timing Vulnerability Leading to Denial-of-Service

Vulnerability

Impact

Remediation

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating