PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-6340 Mattermost CVE debrief

CVE-2026-6340 is a denial-of-service issue in Mattermost’s handling of 7zip archives. According to the provided description, affected versions fail to validate 7zip archive structure before processing, allowing an authenticated attacker to upload a specially crafted archive with excessive folder declarations and trigger server memory exhaustion. The result is loss of availability rather than direct data exposure or code execution. The CVSS score is 4.3 (MEDIUM), reflecting authenticated network access with availability impact only.

Vendor
Mattermost
Product
Unknown
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-18
Original CVE updated
2026-05-19
Advisory published
2026-05-18
Advisory updated
2026-05-19

Who should care

Administrators and operators running Mattermost instances in the affected version ranges, especially environments that allow users to upload archives or otherwise process user-supplied 7zip files. Security teams responsible for collaboration platforms and file-upload workflows should prioritize this for availability risk management.

Technical summary

The issue is described as insufficient validation of 7zip archive structure prior to processing. A specially crafted 7zip file containing excessive folder declarations can drive memory consumption high enough to exhaust server resources. The affected releases listed in the supplied corpus are Mattermost 11.5.x up to 11.5.1, 11.4.x up to 11.4.3, and 10.11.x up to 10.11.13. The supplied NVD metadata classifies the weakness as CWE-789 (Uncontrolled Memory Allocation) and assigns CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L.

Defensive priority

Medium. This is an authenticated, remote, availability-impacting vulnerability. It is important because it can take down a production collaboration service, but it does not indicate credential theft, data corruption, or code execution in the supplied materials.

Recommended defensive actions

  • Upgrade Mattermost to a fixed release beyond the affected version ranges described in the advisory.
  • Restrict who can upload archives, especially 7zip files, until patched.
  • Monitor server memory and process stability for unusual spikes tied to archive uploads.
  • Review logs for repeated or suspicious archive-upload activity by authenticated users.
  • If immediate patching is not possible, apply compensating controls such as limiting file-upload features or isolating the service behind stricter access controls.

Evidence notes

The CVE description states that Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, and 11.4.x <= 11.4.3 fail to validate 7zip archive structure before processing, enabling server memory exhaustion and denial of service via a specially crafted 7zip file with excessive folder declarations. NVD metadata lists the weakness as CWE-789 and provides the CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L. The supplied NVD reference points to Mattermost’s security-updates page as the vendor reference. Vendor attribution in the corpus is low-confidence, but the evidence supplied consistently points to Mattermost.

Official resources

Published in the supplied corpus on 2026-05-18. The NVD record is marked Received and references Mattermost’s security-updates page. No exploit details are included here beyond the vendor-provided description.