Low severity3.7NVD Advisory· Published Apr 9, 2026· Updated Apr 25, 2026
CVE-2026-21388
CVE-2026-21388
Description
Mattermost Plugins versions <=2.3.1 fail to limit the request body size on the {{/lifecycle}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00610
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost-plugin-msteamsGo | < 1.15.1-0.20260213190728-6fe4d295592e | 1.15.1-0.20260213190728-6fe4d295592e |
Affected products
1Patches
16fe4d295592eLimit request body size on webhook endpoints to prevent memory exhaustion (#895)
2 files changed · +26 −0
server/api.go+4 −0 modified@@ -50,6 +50,8 @@ const ( QueryParamPostID = "post_id" QueryParamFromPreferences = "from_preferences" QueryParamStateID = "state_id" + + maxWebhookBodySize int64 = 1 << 20 // 1 MB ) type UpdateWhitelistResult struct { @@ -108,6 +110,7 @@ func (a *API) processActivity(w http.ResponseWriter, req *http.Request) { return } + req.Body = http.MaxBytesReader(w, req.Body, maxWebhookBodySize) activities := Activities{} err := json.NewDecoder(req.Body).Decode(&activities) if err != nil { @@ -146,6 +149,7 @@ func (a *API) processLifecycle(w http.ResponseWriter, req *http.Request) { return } + req.Body = http.MaxBytesReader(w, req.Body, maxWebhookBodySize) lifecycleEvents := Activities{} err := json.NewDecoder(req.Body).Decode(&lifecycleEvents) if err != nil {
server/api_test.go+22 −0 modified@@ -90,6 +90,17 @@ func TestProcessActivity(t *testing.T) { assert.Equal(t, "unable to get the activities from the message\n", bodyString) }) + t.Run("oversized body", func(t *testing.T) { + th.Reset(t) + + oversizedBody := bytes.Repeat([]byte("a"), 1<<20+1) + response, err := http.Post(apiURL, "text/json", bytes.NewReader(oversizedBody)) + require.NoError(t, err) + defer response.Body.Close() + + assert.Equal(t, http.StatusBadRequest, response.StatusCode) + }) + t.Run("invalid webhook secret", func(t *testing.T) { th.Reset(t) @@ -225,6 +236,17 @@ func TestProcessLifecycle(t *testing.T) { assert.Equal(t, "unable to get the lifecycle events from the message\n", bodyString) }) + t.Run("oversized body", func(t *testing.T) { + th.Reset(t) + + oversizedBody := bytes.Repeat([]byte("a"), 1<<20+1) + response, err := http.Post(apiURL, "text/json", bytes.NewReader(oversizedBody)) + require.NoError(t, err) + defer response.Body.Close() + + assert.Equal(t, http.StatusBadRequest, response.StatusCode) + }) + t.Run("invalid webhook secret", func(t *testing.T) { th.Reset(t)
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-x274-8qfc-hrgfghsaADVISORY
- mattermost.com/security-updatesnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-21388ghsaADVISORY
- github.com/mattermost/mattermost-plugin-msteams/commit/6fe4d295592ecc8767d67e69286cbeec01be3210ghsaWEB
- github.com/mattermost/mattermost-plugin-msteams/releases/tag/v2.3.2ghsaWEB
News mentions
0No linked articles in our index yet.