Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to rate limit login requests which allows unauthenticated remote attackers to cause denial of service

Description

Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to rate limit login requests which allows unauthenticated remote attackers to cause denial of service (server crash and restart) via HTTP/2 single packet attack with 100+ parallel login requests.. Mattermost Advisory ID: MMSA-2025-00566

Affected Products

Vendor	Product	Versions
mattermost	mattermost_server	go/github.com/mattermost/mattermost-server: >= 11.4.0-rc1, < 11.4.1, go/github.com/mattermost/mattermost-server: >= 11.3.0-rc1, < 11.3.2, go/github.com/mattermost/mattermost-server: >= 11.2.0-rc1, < 11.2.4, go/github.com/mattermost/mattermost-server: >= 10.11.0-rc1, < 10.11.12

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
go	github.com/mattermost/mattermost-server	GHSA	85%

References

https://mattermost.com/security-updates(Vendor Advisory)

CVSS 3.14.3 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CISA KEV❌ No

Actively exploited❌ No

Patch available

github.com/mattermost/mattermost-server@11.4.1github.com/mattermost/mattermost-server@11.3.2github.com/mattermost/mattermost-server@11.2.4github.com/mattermost/mattermost-server@10.11.12

CWECWE-400

PublishedMar 25, 2026

Last enriched5d ago

Trending Score0

Source articles0

Independent0

Info Completeness9/14

Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to rate limit login requests which allows unauthenticated remote attackers to cause denial of service

Description

Affected Products

Also Affects

References

Community Vote

Related CVEs (5)

Pin to Dashboard

Verification

Vulnerability Timeline