CVE-2026-4915
Denial of Service in Mattermost via Null Webhook Attachments
Publication date: 2026-05-25
Last updated on: 2026-05-25
Assigner: Mattermost, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | mattermost | to 11.6.0 (inc) |
| mattermost | mattermost | to 11.5.3 (inc) |
| mattermost | mattermost | to 11.4.4 (inc) |
| mattermost | mattermost | to 10.11.14 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-754 | The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects certain versions of Mattermost where the software fails to filter out nil (null) elements from outgoing webhook attachment payloads before processing them.
An authenticated user can exploit this by sending a specially crafted webhook callback response that contains a null attachment entry.
This causes the server process to terminate unexpectedly, resulting in a denial of service.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a denial of service (DoS) condition.
An attacker who is authenticated can cause the Mattermost server process to terminate by sending a crafted webhook callback response with a null attachment.
This can disrupt normal operations, causing downtime and potentially affecting availability of the Mattermost service.