CVE-2026-21388 PUBLISHED

Unbounded Request Body Read in MS Teams Plugin {{/lifecycle}} Webhook Endpoint

Assigner: Mattermost
Reserved: 11.02.2026 Published: 09.04.2026 Updated: 09.04.2026

Mattermost Plugins versions <=2.3.1 fail to limit the request body size on the {{/lifecycle}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00610

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS Score: 3.7

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	Mattermost
Product	Mattermost
Versions	Default: unaffected affected from 0 to 2.3.1 (incl.) Version 2.3.2.0 is unaffected

Solutions

Update Mattermost Plugins to versions 2.3.2.0 or higher.

Credits

Lorenzo Gallegos finder

References

MMSA-2026-00610

Problem Types

CWE-770: Allocation of Resources Without Limits or Throttling CWE