HIGH 7.5
GHSA-w9m8-p4cc-4qj9
Mattermost doesn't properly validate msgpack-encoded WebSocket frames before memory allocation
Details
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to properly validate msgpack-encoded WebSocket frames before memory allocation which allows an unauthenticated remote attacker to crash the server process and cause a full service outage for all users via a crafted binary WebSocket message sent to the public WebSocket endpoint.. Mattermost Advisory ID: MMSA-2026-00647
Are you affected?
Enter the version of the package you're using.
Affected packages
Go / github.com/mattermost/mattermost-server
Introduced in:
11.6.0 Fixed in: 11.6.1 Fix
go get github.com/mattermost/mattermost-server@v11.6.1 Go / github.com/mattermost/mattermost-server
Introduced in:
11.5.0 Fixed in: 11.5.4 Fix
go get github.com/mattermost/mattermost-server@v11.5.4 Go / github.com/mattermost/mattermost-server
Introduced in:
11.4.0 Fixed in: 11.4.5 Fix
go get github.com/mattermost/mattermost-server@v11.4.5 Go / github.com/mattermost/mattermost-server
Introduced in:
10.11.0 Fixed in: 10.11.15 Fix
go get github.com/mattermost/mattermost-server@v10.11.15 Go / github.com/mattermost/mattermost/server/v8
Introduced in:
0 Fixed in: 8.0.0-20260410202636-17939826efa2 Fix
go get github.com/mattermost/mattermost/server/v8@v8.0.0-20260410202636-17939826efa2