Zero Day MonitorZDM

← Back to list

3.7

CVE-2026-24661PATCHED

mattermost · mattermost

Unbounded Request Body Read in MS Teams Plugin {{/changes}} Webhook Endpoint

Description

Mattermost Plugins versions <=2.1.3.0 fail to limit the request body size on the {{/changes}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00611

Affected Products

Vendor	Product	Versions
mattermost	mattermost	0

References

https://mattermost.com/security-updates(vendor-advisory)

Related News (1 articles)

Tier C

VulDB5h ago

CVE-2026-24661 | Mattermost Plugins up to 2.1.3 Changes Webhook Endpoint allocation of resources

→ No new info (linked only)

CVSS 3.13.7 LOW

VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA KEV❌ No

Actively exploited❌ No

Patch available

null

CWECWE-770

PublishedApr 9, 2026

Last enriched5h agov2

Tags

CVE-2026-24661

Trending Score21

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-3524EXP

Authorization Bypass in Mattermost Legal Hold Plugin Due to Missing Return After Permission Check

LOWCVE-2026-21388

Unbounded Request Body Read in MS Teams Plugin {{/lifecycle}} Webhook Endpoint

HIGHCVE-2026-25773EXP

Focalboard Second-Order SQL Injection in category reorder endpoint allows data exfiltration (unsupported product, no fix)

MEDIUMCVE-2026-28736EXP

Focalboard IDOR in file content endpoint allows cross-user file access (unsupported product, no fix)

MEDIUMCVE-2026-26233

Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to rate limit login requests which allows unauthenticated remote attackers to cause denial of service

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 9, 2026

Discovered by ZDM

Apr 9, 2026

Updated: description, patchAvailable, tags

Apr 9, 2026

Patch Available

Apr 9, 2026

Version History

v2

Last enriched 5h ago

v2Tier C5h ago

Updated description with new details, marked exploit availability as false, and added CVE ID tag.

descriptionpatchAvailabletags

via VulDB

v17h ago

Initial creation