CVE-2026-26233
Denial of Service via Unrestricted Login Requests in Mattermost
Publication date: 2026-03-25
Last updated on: 2026-03-26
Assigner: Mattermost, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | mattermost_server | From 10.11.0 (inc) to 10.11.12 (exc) |
| mattermost | mattermost_server | From 11.2.0 (inc) to 11.2.4 (exc) |
| mattermost | mattermost_server | From 11.3.0 (inc) to 11.3.2 (exc) |
| mattermost | mattermost_server | From 11.4.0 (inc) to 11.4.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in certain versions of Mattermost (11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11) where the software fails to rate limit login requests.
Because of this, unauthenticated remote attackers can send a large number of parallel login requests (100 or more) using an HTTP/2 single packet attack, which can cause the server to crash and restart.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a denial of service condition.
An attacker can cause the Mattermost server to crash and restart by sending many parallel login requests without authentication, potentially disrupting service availability.