PatchSiren cyber security CVE debrief
CVE-2026-4915 Mattermost CVE debrief
## Summary Mattermost versions 11.6.x through 11.6.0, 11.5.x through 11.5.3, 11.4.x through 11.4.4, and 10.11.x through 10.11.14 contain a denial-of-service vulnerability in outgoing webhook processing. An authenticated attacker can trigger server process termination by sending a crafted webhook callback response containing a null attachment entry. The root cause is improper filtering of nil elements in webhook attachment payloads before processing. ## Impact Assessment - **CVSS 3.1 Score:** 6.5 (MEDIUM) - **Vector:** CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H - **CWE-754:** Improper Check for Unusual or Exceptional Conditions - **Attack Vector:** Network - **Privileges Required:** Low (authenticated user) - **User Interaction:** None - **Scope:** Unchanged - **Impact:** High availability impact (server process termination); no confidentiality or integrity impact ## Affected Versions | Branch | Affected Versions | |--------|-------------------| | 11.6.x | ≤ 11.6.0 | | 11.5.x | ≤ 11.5.3 | | 11.4.x | ≤ 11.4.4 | | 10.11.x | ≤ 10.11.14 | ## Technical Details The vulnerability exists in Mattermost's outgoing webhook attachment processing logic. When processing webhook callback responses, the application fails to filter nil (null) elements from attachment payloads before further processing. This allows a nil attachment entry to propagate through the code path and cause a panic or unhandled exception, resulting in server process termination. The attack requires: 1. Valid authentication credentials in the target Mattermost instance 2. Ability to configure or trigger an outgoing webhook 3. Control over the webhook callback response to inject a null attachment entry ## Timeline - **CVE Published:** 2026-05-25 - **CVE Last Modified:** 2026-05-26 - **Mattermost Advisory:** MMSA-2026-00641 ## Recommended Actions 1. **Immediate:** Review outgoing webhook configurations for unauthorized or suspicious integrations 2. **Patch:** Apply security updates from Mattermost when available; monitor the Mattermost security updates page for patched version announcements 3. **Network Controls:** Consider restricting outbound webhook destinations to trusted endpoints if business needs 4.
- Vendor
- Mattermost
- Product
- Unknown
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
Mattermost administrators, security teams managing collaboration platforms, DevSecOps engineers responsible for webhook integrations
Technical summary
Authenticated DoS via nil attachment in Mattermost outgoing webhook responses
Defensive priority
medium
Recommended defensive actions
- Review outgoing webhook configurations for unauthorized integrations
- Apply Mattermost security updates when available
- Monitor Mattermost security updates page for patch announcements
- Restrict outbound webhook destinations to trusted endpoints where feasible
Evidence notes
- CVE record published 2026-05-25, modified 2026-05-26 - Mattermost advisory ID MMSA-2026-00641 confirmed in source - CVSS 3.1 vector and score from official NVD record - CWE-754 classification from responsible disclosure source - Affected version ranges explicitly listed in CVE description
Official resources
-
CVE-2026-4915 CVE record
CVE.org
-
CVE-2026-4915 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
public