HIGH 7.5
GHSA-jmvr-r5hm-fxfr
Mattermost doesn't enforce request body size limits on plugin HTTP endpoints
Details
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to enforce request body size limits on plugin HTTP endpoints which allows an attacker to cause a denial of service via crafted oversized HTTP requests.. Mattermost Advisory ID: MMSA-2026-00646
Are you affected?
Enter the version of the package you're using.
Affected packages
Go / github.com/mattermost/mattermost-server
Introduced in:
11.6.0 Fixed in: 11.6.1 Fix
go get github.com/mattermost/mattermost-server@v11.6.1 Go / github.com/mattermost/mattermost-server
Introduced in:
11.5.0 Fixed in: 11.5.4 Fix
go get github.com/mattermost/mattermost-server@v11.5.4 Go / github.com/mattermost/mattermost-server
Introduced in:
11.4.0 Fixed in: 11.4.5 Fix
go get github.com/mattermost/mattermost-server@v11.4.5 Go / github.com/mattermost/mattermost-server
Introduced in:
10.11.0 Fixed in: 10.11.15 Fix
go get github.com/mattermost/mattermost-server@v10.11.15 Go / github.com/mattermost/mattermost-plugin-github
Introduced in:
0 Fixed in: 1.0.1-0.20260410143745-9b41b1fd43c4 Fix
go get github.com/mattermost/mattermost-plugin-github@v1.0.1-0.20260410143745-9b41b1fd43c4