CVE-2026-21388
Received Received - Intake
Denial of Service via Memory Exhaustion in Mattermost Plugins

Publication date: 2026-04-09

Last updated on: 2026-04-25

Assigner: Mattermost, Inc.

Description
Mattermost Plugins versions <=2.3.1 fail to limit the request body size on the {{/lifecycle}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00610
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-25
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-14
NVD
CVE-2026-21388
EUVD
EUVD-2026-20880
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mattermost mattermost_server to 2.3.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

Mattermost Plugins versions up to 2.3.1 have a vulnerability where the request body size is not limited on the {{/lifecycle}} webhook endpoint.

This allows an authenticated attacker to send an oversized JSON payload which can cause memory exhaustion and lead to a denial of service.

Impact Analysis

The vulnerability can be exploited by an authenticated attacker to cause memory exhaustion on the affected system.

This results in a denial of service condition, potentially making the Mattermost Plugins unavailable or unstable.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21388. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart