GHSA-m3p3-8frq-q7qhMediumCVSS 4.3

Mattermost doesn't limit the size of the request body on the start meeting API endpoint

Published
May 18, 2026
Last Modified
June 1, 2026

🔗 CVE IDs covered (1)

CVE-2026-2325

📋 Description

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to limit the size of the request body on the start meeting API endpoint, which allows an authenticated attacker to cause resource exhaustion or denial of service via a crafted oversized HTTP POST request to {{/api/v1/meetings}}.. Mattermost Advisory ID: MMSA-2026-00608

🎯 Affected products4

  • go/github.com/mattermost/mattermost-server:>= 11.5.0, < 11.5.2
  • go/github.com/mattermost/mattermost-server:>= 10.11.0, < 10.11.14
  • go/github.com/mattermost/mattermost-server:>= 11.4.0, < 11.4.4
  • go/github.com/mattermost/mattermost-plugin-msteams-meetings:< 1.1.1-0.20260213105619-c5892dd169de

🔗 References (4)