CVE-2026-25783
User-Agent Header Validation Flaw Causes Panic in Mattermost
Publication date: 2026-03-16
Last updated on: 2026-03-18
Assigner: Mattermost, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | mattermost_server | From 10.11.0 (inc) to 10.11.11 (exc) |
| mattermost | mattermost_server | From 11.2.0 (inc) to 11.2.3 (exc) |
| mattermost | mattermost_server | From 11.3.0 (inc) to 11.3.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1287 | The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Mattermost versions 11.3.0 and earlier in the 11.3.x, 11.2.2 and earlier in the 11.2.x, and 10.11.10 and earlier in the 10.11.x series. It occurs because these versions fail to properly validate User-Agent header tokens. An authenticated attacker can exploit this by sending a specially crafted User-Agent header, which causes the application to panic during request processing.
How can this vulnerability impact me? :
The impact of this vulnerability is a denial of service condition. Because the specially crafted User-Agent header causes a request panic, it can disrupt normal operation of the Mattermost server, potentially leading to service interruptions or degraded availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know