Primary

Context

Mattermost Denial-of-Service Vulnerability via Crafted WebSocket Messages

Vulnerability

Patched

A denial-of-service vulnerability has been identified in Mattermost versions 11.6.0, 11.5.3, 11.4.4, and 10.11.14. The issue arises because the application fails to properly validate msgpack-encoded WebSocket frames before allocating memory. This flaw allows an unauthenticated remote attacker to send a malicious binary WebSocket message to the public WebSocket endpoint, crashing the server process and causing a complete service outage for all users.

Impact

Exploitation of this vulnerability leads to a server crash, causing a full service outage for all users.

Remediation

Users can upgrade to Mattermost versions 11.8.0 or 11.7.18 to address this vulnerability.

Added: May 26, 2026, 4:21 PM

Updated: May 26, 2026, 4:21 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

7.4

remediation

8.3

relevance

9.1

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

7.4

remediation

8.3

relevance

9.1

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost Denial-of-Service Vulnerability via Crafted WebSocket Messages

Vulnerability

Impact

Remediation

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating