CVE-2026-3114
Received Received - Intake
Zip Bomb Denial of Service in Mattermost File Extraction

Publication date: 2026-03-26

Last updated on: 2026-03-30

Assigner: Mattermost, Inc.

Description
Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to validate decompressed archive entry sizes during file extraction which allows authenticated users with file upload permissions to cause a denial of service via crafted zip archives containing highly compressed entries (zip bombs) that exhaust server memory.. Mattermost Advisory ID: MMSA-2026-00598
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-03-30
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3114
EUVD
EUVD-2026-16242
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
mattermost mattermost_server From 10.11.0 (inc) to 10.11.12 (exc)
mattermost mattermost_server From 11.2.0 (inc) to 11.2.4 (exc)
mattermost mattermost_server From 11.3.0 (inc) to 11.3.2 (exc)
mattermost mattermost_server 11.4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-409 The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in certain versions of Mattermost (11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11) where the software fails to validate the decompressed sizes of archive entries during file extraction.

Because of this, authenticated users who have file upload permissions can upload specially crafted zip archives containing highly compressed entries, known as zip bombs.

These zip bombs cause the server to exhaust its memory resources during extraction, leading to a denial of service condition.

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS) on the Mattermost server.

An attacker who is authenticated and has permission to upload files can exploit this by uploading a crafted zip archive that consumes excessive server memory during extraction.

This can cause the server to become unresponsive or crash, disrupting normal operations and availability of the Mattermost service.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3114. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart