CVE-2026-5740
HighSummary
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, and 10.11.x <= 10.11.14 fail to properly validate msgpack-encoded WebSocket frames before memory allocation. This allows an unauthenticated remote attacker to crash the server process, causing a full service outage for all users.
Risk Assessment
An attacker can exploit this vulnerability to perform a DoS attack, resulting in service unavailability for all users. This can lead to significant disruptions in the organization's operations.
Recommendation
It is recommended to upgrade to the latest version of Mattermost to mitigate this vulnerability. Additionally, monitor server logs for potential attack attempts.
Original NVD description (English source)
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to properly validate msgpack-encoded WebSocket frames before memory allocation which allows an unauthenticated remote attacker to crash the server process and cause a full service outage for all users via a crafted binary WebSocket message sent to the public WebSocket endpoint.. Mattermost Advisory ID: MMSA-2026-00647

