{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/mattermost-inc./feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Mattermost Server"],"_cs_severities":["medium"],"_cs_tags":["dos","cve","webserver"],"_cs_type":"advisory","_cs_vendors":["Mattermost Inc."],"content_html":"\u003cp\u003eA denial-of-service vulnerability, identified as CVE-2026-5308, affects Mattermost servers. Specifically, versions 11.6.x up to and including 11.6.0, 11.5.x up to and including 11.5.3, 11.4.x up to and including 11.4.4, and 10.11.x up to and including 10.11.14, do not properly enforce request body size limits on plugin HTTP endpoints. This flaw allows a remote, unauthenticated attacker to potentially exhaust server resources by sending specially crafted, oversized HTTP requests to plugin endpoints, leading to service disruption. This vulnerability is tracked under Mattermost Advisory ID MMSA-2026-00646 and has a CVSS v3.1 base score of 7.5.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Mattermost server running a susceptible version.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies plugin HTTP endpoints that lack proper request body size limit enforcement.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an oversized HTTP request targeted at one of the vulnerable plugin endpoints.\u003c/li\u003e\n\u003cli\u003eThe malicious HTTP request is sent to the Mattermost server.\u003c/li\u003e\n\u003cli\u003eThe Mattermost server processes the request, allocating resources without proper size validation.\u003c/li\u003e\n\u003cli\u003eRepeated or concurrent oversized requests exhaust server resources such as memory and CPU.\u003c/li\u003e\n\u003cli\u003eLegitimate user requests are delayed or fail due to resource exhaustion.\u003c/li\u003e\n\u003cli\u003eThe Mattermost service becomes unavailable, resulting in a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5308 can result in a complete denial of service, preventing legitimate users from accessing the Mattermost platform. The impact is significant for organizations relying on Mattermost for communication and collaboration, potentially disrupting business operations. The severity is further underscored by the CVSS v3.1 base score of 7.5, highlighting the potential for widespread impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of Mattermost Server that addresses CVE-2026-5308.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect CVE-2026-5308 Exploitation Attempt via Large HTTP Request\u0026rdquo; to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusually large HTTP requests targeting plugin endpoints, as this could indicate an attempted denial-of-service attack.\u003c/li\u003e\n\u003cli\u003eConfigure web application firewalls (WAFs) to enforce request body size limits, mitigating the vulnerability at the network level.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T13:30:45Z","date_published":"2026-05-26T13:30:45Z","id":"https://feed.craftedsignal.io/briefs/2026-05-mattermost-dos/","summary":"Mattermost versions 11.6.x \u003c= 11.6.0, 11.5.x \u003c= 11.5.3, 11.4.x \u003c= 11.4.4, 10.11.x \u003c= 10.11.14 fail to enforce request body size limits on plugin HTTP endpoints, allowing an attacker to cause a denial of service via crafted oversized HTTP requests.","title":"Mattermost Uncontrolled Resource Consumption Vulnerability (CVE-2026-5308)","url":"https://feed.craftedsignal.io/briefs/2026-05-mattermost-dos/"},{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":5.9,"id":"CVE-2026-3473"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Mattermost Server"],"_cs_severities":["medium"],"_cs_tags":["cve","vulnerability","mattermost","authorization bypass"],"_cs_type":"threat","_cs_vendors":["Mattermost Inc."],"content_html":"\u003cp\u003eMattermost, a popular open-source collaboration platform, is vulnerable to an authorization bypass issue. CVE-2026-3473 affects Mattermost Server versions 11.6.x \u0026lt;= 11.6.0, 11.5.x \u0026lt;= 11.5.3, 11.4.x \u0026lt;= 11.4.4, and 10.11.x \u0026lt;= 10.11.14. This vulnerability stems from a failure to properly validate file ownership and access control. An authenticated user can exploit this flaw to gain unauthorized access to and download files belonging to other users or teams. The attack is carried out via crafted Boards API requests utilizing valid file IDs. This vulnerability is identified by Mattermost Advisory ID MMSA-2026-00620. Successful exploitation can lead to sensitive data exposure and potential compromise of confidential information within the Mattermost environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to a vulnerable Mattermost server.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a valid file ID belonging to another user or team.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious Boards API request.\u003c/li\u003e\n\u003cli\u003eThe crafted API request includes the valid file ID of the target file.\u003c/li\u003e\n\u003cli\u003eThe vulnerable Mattermost server fails to properly validate file ownership and access control.\u003c/li\u003e\n\u003cli\u003eThe server processes the request without proper authorization checks.\u003c/li\u003e\n\u003cli\u003eThe server grants the attacker access to the file.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully downloads the file.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-3473 allows an authenticated user to access and download files belonging to other users or teams within the Mattermost instance. This could lead to the unauthorized disclosure of sensitive information, including confidential documents, private communications, and other proprietary data. The impact is significant for organizations that rely on Mattermost for secure internal communication and collaboration. The number of affected installations is currently unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Mattermost Server to a patched version (later than 11.6.0, 11.5.3, 11.4.4, or 10.11.14) to remediate CVE-2026-3473 as per the vendor advisory.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for unusual activity related to the Boards API, specifically requests attempting to access files using file IDs (cs-uri-stem|contains: \u0026ldquo;/api/v1/boards\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect suspicious access to the Boards API.\u003c/li\u003e\n\u003cli\u003eEnforce strict file access control policies within Mattermost to limit the potential impact of similar vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T13:30:28Z","date_published":"2026-05-26T13:30:28Z","id":"https://feed.craftedsignal.io/briefs/2026-05-mattermost-file-access/","summary":"Mattermost versions 11.6.x \u003c= 11.6.0, 11.5.x \u003c= 11.5.3, 11.4.x \u003c= 11.4.4, 10.11.x \u003c= 10.11.14 fail to validate file ownership and access control, allowing an authenticated user to access and download files belonging to other users or teams via crafted Boards API requests using valid file IDs.","title":"Mattermost File Access Vulnerability (CVE-2026-3473)","url":"https://feed.craftedsignal.io/briefs/2026-05-mattermost-file-access/"}],"language":"en","title":"CraftedSignal Threat Feed — Mattermost Inc.","version":"https://jsonfeed.org/version/1.1"}