wid-sec-w-2026-0692 · Published 2026-03-10 · View on BSI CERT-Bund ↗

Mattermost MS Teams plugin: Multiple Vulnerabilities allow Denial of Service

CVSS 3.7 LOW

Risk Summary

Mattermost Plugins versions <=2.3.1 fail to limit the request body size on the {{/lifecycle}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00610

CVEs (2)

CVE-2026-21388 CVE-2026-24661

Affected Vendors

Mattermost

Affected Products (2)

Mattermost · Mattermost MS Teams plugin <2.3.2.0

Mattermost · Mattermost MS Teams plugin 2.3.2.0

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more