Plattform
mattermost
Komponente
mattermost
Behoben in
2.3.2.0
1.15.1-0.20260213190728-6fe4d295592e
CVE-2026-21388 describes a denial-of-service (DoS) vulnerability affecting Mattermost Plugins versions 0.0.0 through 2.3.2.0. An authenticated attacker can exploit this flaw by sending excessively large JSON payloads to the {{/lifecycle}} webhook endpoint, leading to memory exhaustion and potential service disruption. The vulnerability has been assigned Mattermost Advisory ID: MMSA-2026-00610 and a CVSS score of 3.7 (LOW). A fix is available in version 2.3.2.0.
The primary impact of CVE-2026-21388 is a denial-of-service condition within a Mattermost instance. An attacker can trigger this by sending a large JSON payload to the {{/lifecycle}} webhook endpoint, overwhelming the server's memory resources. This can lead to service instability, slow response times, and potentially a complete shutdown of the Mattermost application. While the CVSS score is low, the impact can still be disruptive, particularly in environments where Mattermost is critical for communication and collaboration. The blast radius is limited to the affected Mattermost instance.
CVE-2026-21388 was published on 2026-04-09. Its CVSS score is 3.7 (LOW). Mattermost Advisory ID: MMSA-2026-00610. No public exploits are currently known. The vulnerability is not listed on KEV or EPSS, indicating a low probability of exploitation. Monitor Mattermost security advisories for updates.
Organizations utilizing Mattermost Plugins, particularly those with custom integrations or plugins that heavily rely on webhooks, are at risk. Environments with weak authentication controls or compromised user accounts are more vulnerable, as successful exploitation requires authentication. Shared hosting environments where multiple users share the same Mattermost instance could also be affected.
• linux / server: Monitor Mattermost plugin process memory usage using top or htop. Look for unusually high memory consumption.
top -u mattermost• generic web: Examine Mattermost access logs for unusually large POST requests to the {{/lifecycle}} endpoint.
grep '{{/lifecycle}}' /var/log/nginx/access.log | awk '{print $7}' | sort -n | tail -1• go: Review Mattermost plugin code for proper request body size validation on the {{/lifecycle}} endpoint. Look for missing or inadequate size checks.
disclosure
Exploit-Status
EPSS
0.05% (16% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation for CVE-2026-21388 is to upgrade Mattermost Plugins to version 2.3.2.0 or later. If an immediate upgrade is not feasible, implement a Web Application Firewall (WAF) or proxy to limit the size of incoming requests to the {{/lifecycle}} webhook endpoint. Configure the WAF/proxy to reject requests exceeding a reasonable size threshold (e.g., 1MB). Monitor Mattermost server resource utilization (CPU, memory) for signs of exhaustion. After upgrading, verify the fix by attempting to send an oversized JSON payload to the webhook endpoint; the request should be rejected by the server.
Actualice el plugin {{/lifecycle}} a la versión 2.3.2.0 o superior para mitigar la vulnerabilidad. Esta actualización limita el tamaño del cuerpo de la solicitud, previniendo el agotamiento de la memoria y la denegación de servicio.Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-21388 is a denial-of-service vulnerability in Mattermost Plugins versions 0.0.0–2.3.2.0 where an attacker can cause memory exhaustion by sending oversized JSON payloads.
You are affected if you are running Mattermost Plugins versions 0.0.0 through 2.3.2.0 and have not yet upgraded.
Upgrade Mattermost Plugins to version 2.3.2.0 or later to remediate the vulnerability. Consider temporary workarounds like limiting request body sizes if immediate upgrading is not possible.
There is currently no indication of active exploitation of CVE-2026-21388.
You can find the official Mattermost advisory for CVE-2026-21388 at Mattermost Advisory ID: MMSA-2026-00610.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.