Platform
mattermost
Component
mattermost
Fixed in
2.3.2.0
1.15.1-0.20260213190728-6fe4d295592e
CVE-2026-24661 describes a denial-of-service (DoS) vulnerability affecting Mattermost Plugins versions from 0.0.0 up to and including 2.3.2.0. An attacker can exploit this flaw by sending excessively large JSON payloads to the {{/changes}} webhook endpoint, leading to memory exhaustion and potential service disruption. The vulnerability has been assigned Mattermost Advisory ID MMSA-2026-00611 and a CVSS score of 3.7 (LOW). A fix is available in version 2.3.2.0.
This vulnerability allows an authenticated attacker to cause a denial-of-service condition within a Mattermost instance. By crafting and sending oversized JSON payloads to the {{/changes}} webhook endpoint, the attacker can exhaust server memory resources. This can lead to the Mattermost service becoming unresponsive, impacting legitimate users' ability to communicate and collaborate. The impact is primarily focused on service availability, though prolonged denial of service could potentially lead to data loss if critical operations are interrupted. The attack requires authentication, limiting the scope of potential attackers to those with existing access to the Mattermost system.
CVE-2026-24661 was publicly disclosed on 2026-04-09. There is no indication of active exploitation at this time. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept (PoC) code is not yet available, but the vulnerability's nature makes it relatively straightforward to exploit.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-24661 is to upgrade Mattermost Plugins to version 2.3.2.0 or later, which includes the fix for this vulnerability. If immediate upgrading is not feasible, consider implementing temporary workarounds such as rate limiting the number of requests to the {{/changes}} webhook endpoint. Additionally, configure your Mattermost server to have sufficient memory resources to handle legitimate traffic spikes. Monitor server resource utilization (CPU, memory) for unusual patterns that might indicate an ongoing attack. After upgrading, confirm the fix by sending a large JSON payload to the {{/changes}} webhook endpoint and verifying that the server does not experience memory exhaustion or service disruption.
Update the {{/changes}} plugin to version 2.3.2.0 or higher to mitigate the vulnerability. This update limits the request body size, preventing memory exhaustion and denial of service.Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24661 is a denial-of-service vulnerability in Mattermost Plugins versions 0.0.0–2.3.2.0 where an attacker can cause memory exhaustion by sending oversized JSON payloads.
You are affected if you are running Mattermost Plugins versions between 0.0.0 and 2.3.2.0, inclusive. Upgrade to 2.3.2.0 or later to mitigate the risk.
Upgrade Mattermost Plugins to version 2.3.2.0 or later. As a temporary workaround, implement rate limiting on the {{/changes}} webhook endpoint.
There is currently no indication of active exploitation of CVE-2026-24661.
You can find the official Mattermost advisory for CVE-2026-24661 at Mattermost Advisory ID: MMSA-2026-00611.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.