Platform
mattermost
Component
mattermost
Fixed in
2.3.2.0
1.15.1-0.20260213190728-6fe4d295592e
CVE-2026-21388 describes a denial-of-service (DoS) vulnerability affecting Mattermost Plugins versions 0.0.0 through 2.3.2.0. An authenticated attacker can exploit this flaw by sending excessively large JSON payloads to the {{/lifecycle}} webhook endpoint, leading to memory exhaustion and potential service disruption. The vulnerability has been assigned Mattermost Advisory ID: MMSA-2026-00610 and a CVSS score of 3.7 (LOW). A fix is available in version 2.3.2.0.
This vulnerability allows an authenticated attacker to induce a denial-of-service condition within the Mattermost Plugins environment. By crafting and sending oversized JSON payloads to the {{/lifecycle}} webhook endpoint, the attacker can overwhelm the plugin's memory resources, causing it to become unresponsive or crash. This can disrupt critical plugin functionality and potentially impact the overall availability of the Mattermost instance. The impact is primarily limited to the plugin itself, but a prolonged DoS could indirectly affect other services relying on the plugin's functionality. Successful exploitation requires authentication, limiting the attack surface but still posing a risk in environments with compromised user accounts or weak authentication mechanisms.
CVE-2026-21388 was publicly disclosed on 2026-04-09. There is no indication of active exploitation at this time. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept (PoC) code is not yet available, but the vulnerability's nature makes it relatively straightforward to exploit, increasing the likelihood of PoC development and potential future exploitation.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-21388 is to upgrade Mattermost Plugins to version 2.3.2.0 or later, which includes the fix for this vulnerability. If immediate upgrading is not feasible, consider implementing temporary workarounds to limit the size of incoming webhook payloads. This could involve configuring a reverse proxy or WAF to enforce maximum request body size limits. Additionally, review and restrict access to the {{/lifecycle}} webhook endpoint to only trusted sources. Monitor Mattermost plugin resource usage for signs of excessive memory consumption, which could indicate an ongoing attack. After upgrading, confirm the fix by sending a large JSON payload to the {{/lifecycle}} webhook endpoint and verifying that the plugin handles it gracefully without crashing or experiencing memory exhaustion.
Update the {{/lifecycle}} plugin to version 2.3.2.0 or higher to mitigate the vulnerability. This update limits the request body size, preventing memory exhaustion and denial of service.Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-21388 is a denial-of-service vulnerability in Mattermost Plugins versions 0.0.0–2.3.2.0 where an attacker can cause memory exhaustion by sending oversized JSON payloads.
You are affected if you are running Mattermost Plugins versions 0.0.0 through 2.3.2.0 and have not yet upgraded.
Upgrade Mattermost Plugins to version 2.3.2.0 or later to remediate the vulnerability. Consider temporary workarounds like limiting request body sizes if immediate upgrading is not possible.
There is currently no indication of active exploitation of CVE-2026-21388.
You can find the official Mattermost advisory for CVE-2026-21388 at Mattermost Advisory ID: MMSA-2026-00610.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.