CVE-2026-2325
Memory Exhaustion in Mattermost Start Meeting API
Publication date: 2026-05-18
Last updated on: 2026-05-18
Assigner: Mattermost, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | mattermost_server | From 10.11.0 (inc) to 10.11.14 (exc) |
| mattermost | mattermost_server | From 11.4.0 (inc) to 11.4.4 (exc) |
| mattermost | mattermost_server | From 11.5.0 (inc) to 11.5.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Mattermost versions 11.5.x up to 11.5.1, 10.11.x up to 10.11.13, and 11.4.x up to 11.4.3. It occurs because the application fails to limit the size of the request body on the start meeting API endpoint.
An authenticated attacker can exploit this by sending a crafted oversized HTTP POST request to the /api/v1/meetings endpoint.
This can cause resource exhaustion or denial of service (DoS) on the affected system.
How can this vulnerability impact me? :
The primary impact of this vulnerability is the potential for resource exhaustion or denial of service on the Mattermost server.
An attacker who is authenticated can send oversized requests to the start meeting API endpoint, which may cause the server to become unresponsive or crash, disrupting normal operations.
This can lead to downtime, loss of availability of the Mattermost service, and interruption of communication for users relying on the platform.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the failure to limit the size of the request body on the start meeting API endpoint at /api/v1/meetings, which can be exploited by sending crafted oversized HTTP POST requests.
To detect this vulnerability on your network or system, you can monitor HTTP POST requests to the /api/v1/meetings endpoint and check for unusually large request bodies that exceed normal size limits.
Suggested commands include using network monitoring tools or command-line utilities such as curl or tcpdump to capture and analyze traffic:
- Use tcpdump to capture HTTP POST requests to the endpoint: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/api/v1/meetings'
- Use curl to simulate a POST request and observe response behavior: curl -X POST -d @large_payload.json https://<mattermost-server>/api/v1/meetings -H 'Authorization: Bearer <token>' -v
Monitoring server logs for unusually large POST request bodies or denial of service symptoms can also help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating Mattermost to a version later than 11.5.1, 10.11.13, or 11.4.3 where this vulnerability is fixed.
If updating is not immediately possible, implement request size limits on the /api/v1/meetings endpoint at the web server or application firewall level to prevent oversized POST requests.
Additionally, monitor and restrict authenticated user activity to detect and block abnormal request patterns that may indicate exploitation attempts.