High severityNVD Advisory· Published Mar 16, 2026· Updated Mar 16, 2026
DoS attack via login attempts with multi-megabyte passwords
CVE-2026-24458
Description
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly handle very long passwords, which allows an attacker to overload the server CPU and memory via executing login attempts with multi-megabyte passwords. Mattermost Advisory ID: MMSA-2026-00587
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20260129164748-7201f42d955f | 8.0.0-20260129164748-7201f42d955f |
github.com/mattermost/mattermost-serverGo | < 5.3.2-0.20260129164748-7201f42d955f | 5.3.2-0.20260129164748-7201f42d955f |
github.com/mattermost/mattermost-serverGo | >= 10.11.0-rc1, < 10.11.11 | 10.11.11 |
github.com/mattermost/mattermost-serverGo | >= 11.2.0-rc1, < 11.2.3 | 11.2.3 |
github.com/mattermost/mattermost-serverGo | >= 11.3.0-rc1, < 11.3.1 | 11.3.1 |
Affected products
1- Range: 11.3.0
Patches
17201f42d955fMM-67277: Add check to legacy hasher (#35092)
3 files changed · +17 −1
server/channels/app/password/hashers/bcrypt.go+4 −0 modified@@ -73,6 +73,10 @@ func (b BCrypt) Hash(password string) (string, error) { // a [PasswordHasher]: it only uses the [PHC.Hash] field, and ignores anything // else in there. func (b BCrypt) CompareHashAndPassword(hash phcparser.PHC, password string) error { + if len(password) > PasswordMaxLengthBytes { + return ErrPasswordTooLong + } + err := bcrypt.CompareHashAndPassword([]byte(hash.Hash), []byte(password)) if errors.Is(err, bcrypt.ErrMismatchedHashAndPassword) { return ErrMismatchedHashAndPassword
server/channels/app/password/hashers/bcrypt_test.go+11 −0 modified@@ -4,6 +4,7 @@ package hashers import ( + "crypto/rand" "strings" "testing" @@ -44,6 +45,10 @@ func TestBCryptHash(t *testing.T) { } func TestBCryptCompareHashAndPassword(t *testing.T) { + passwordTooLong := make([]byte, PasswordMaxLengthBytes+1) + _, err := rand.Read(passwordTooLong) + require.NoError(t, err) + testCases := []struct { testName string storedPwd string @@ -68,6 +73,12 @@ func TestBCryptCompareHashAndPassword(t *testing.T) { "another password", ErrMismatchedHashAndPassword, }, + { + "long password", + "stored password", + string(passwordTooLong), + ErrPasswordTooLong, + }, } hasher := NewBCrypt()
server/channels/app/password/hashers/pbkdf2_test.go+2 −1 modified@@ -48,7 +48,8 @@ func TestPBKDF2Hash(t *testing.T) { func TestPBKDF2CompareHashAndPassword(t *testing.T) { passwordTooLong := make([]byte, PasswordMaxLengthBytes+1) - rand.Read(passwordTooLong) + _, err := rand.Read(passwordTooLong) + require.NoError(t, err) testCases := []struct { testName string
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-m5rv-56xx-hfc6ghsaADVISORY
- mattermost.com/security-updatesghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-24458ghsaADVISORY
- github.com/mattermost/mattermost/commit/7201f42d955f1bc44719b862132546626b60a180ghsaWEB
News mentions
0No linked articles in our index yet.