HIGHCVE-2026-5740Published Modified CNA Mattermost
CVE-2026-5740: Unauthenticated WebSocket binary frame causes denial of service in Mattermost Server
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to properly validate msgpack-encoded WebSocket frames before memory allocation which allows an unauthenticated remote attacker to crash the server process and cause a full service outage for all users via a crafted binary WebSocket message sent to the public WebSocket endpoint.. Mattermost Advisory ID: MMSA-2026-00647
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- 10.11.15
- Affected Products
- 1
Fix available
10.11.1511.4.511.5.411.6.111.7.0
Affected packages
- Mattermost / Mattermost≤ 11.6.0 · ≤ 11.5.3 · ≤ 11.4.4 · ≤ 10.11.14Fixed in 11.7.0, 11.6.1, 11.5.4, 11.4.5, 10.11.15
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences