Moderate severityNVD Advisory· Published Mar 25, 2026· Updated Mar 27, 2026
Denial of Service via HTTP/2 single packet attack on login endpoint
CVE-2026-26233
Description
Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to rate limit login requests which allows unauthenticated remote attackers to cause denial of service (server crash and restart) via HTTP/2 single packet attack with 100+ parallel login requests.. Mattermost Advisory ID: MMSA-2025-00566
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost-serverGo | >= 11.4.0-rc1, < 11.4.1 | 11.4.1 |
github.com/mattermost/mattermost-serverGo | >= 11.3.0-rc1, < 11.3.2 | 11.3.2 |
github.com/mattermost/mattermost-serverGo | >= 11.2.0-rc1, < 11.2.4 | 11.2.4 |
github.com/mattermost/mattermost-serverGo | >= 10.11.0-rc1, < 10.11.12 | 10.11.12 |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/mattermost/mattermost-serverpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
>= 11.4.0-rc1, < 11.4.1+ 1 more
- (no CPE)range: >= 11.4.0-rc1, < 11.4.1
- (no CPE)range: < 0.0.20260402T184258-150000.1.158.1
- Range: 11.4.0
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-247x-7qw8-fp98ghsaADVISORY
- mattermost.com/security-updatesghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-26233ghsaADVISORY
News mentions
0No linked articles in our index yet.