Low severity3.7NVD Advisory· Published Apr 9, 2026· Updated Apr 17, 2026
CVE-2026-24661
CVE-2026-24661
Description
Mattermost Plugins versions <=2.1.3.0 fail to limit the request body size on the {{/changes}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00611
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost-plugin-msteamsGo | < 1.15.1-0.20260213190728-6fe4d295592e | 1.15.1-0.20260213190728-6fe4d295592e |
Affected products
1Patches
16fe4d295592eLimit request body size on webhook endpoints to prevent memory exhaustion (#895)
2 files changed · +26 −0
server/api.go+4 −0 modified@@ -50,6 +50,8 @@ const ( QueryParamPostID = "post_id" QueryParamFromPreferences = "from_preferences" QueryParamStateID = "state_id" + + maxWebhookBodySize int64 = 1 << 20 // 1 MB ) type UpdateWhitelistResult struct { @@ -108,6 +110,7 @@ func (a *API) processActivity(w http.ResponseWriter, req *http.Request) { return } + req.Body = http.MaxBytesReader(w, req.Body, maxWebhookBodySize) activities := Activities{} err := json.NewDecoder(req.Body).Decode(&activities) if err != nil { @@ -146,6 +149,7 @@ func (a *API) processLifecycle(w http.ResponseWriter, req *http.Request) { return } + req.Body = http.MaxBytesReader(w, req.Body, maxWebhookBodySize) lifecycleEvents := Activities{} err := json.NewDecoder(req.Body).Decode(&lifecycleEvents) if err != nil {
server/api_test.go+22 −0 modified@@ -90,6 +90,17 @@ func TestProcessActivity(t *testing.T) { assert.Equal(t, "unable to get the activities from the message\n", bodyString) }) + t.Run("oversized body", func(t *testing.T) { + th.Reset(t) + + oversizedBody := bytes.Repeat([]byte("a"), 1<<20+1) + response, err := http.Post(apiURL, "text/json", bytes.NewReader(oversizedBody)) + require.NoError(t, err) + defer response.Body.Close() + + assert.Equal(t, http.StatusBadRequest, response.StatusCode) + }) + t.Run("invalid webhook secret", func(t *testing.T) { th.Reset(t) @@ -225,6 +236,17 @@ func TestProcessLifecycle(t *testing.T) { assert.Equal(t, "unable to get the lifecycle events from the message\n", bodyString) }) + t.Run("oversized body", func(t *testing.T) { + th.Reset(t) + + oversizedBody := bytes.Repeat([]byte("a"), 1<<20+1) + response, err := http.Post(apiURL, "text/json", bytes.NewReader(oversizedBody)) + require.NoError(t, err) + defer response.Body.Close() + + assert.Equal(t, http.StatusBadRequest, response.StatusCode) + }) + t.Run("invalid webhook secret", func(t *testing.T) { th.Reset(t)
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-5rfv-h47g-xj42ghsaADVISORY
- mattermost.com/security-updatesnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-24661ghsaADVISORY
- github.com/mattermost/mattermost-plugin-msteams/commit/6fe4d295592ecc8767d67e69286cbeec01be3210ghsaWEB
- github.com/mattermost/mattermost-plugin-msteams/releases/tag/v2.3.2ghsaWEB
News mentions
2- ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and MoreThe Hacker News · May 11, 2026
- When DNSSEC goes wrong: how we responded to the .de TLD outageCloudflare Blog · May 6, 2026