CVE-2026-24661 LOW

CVE-2026-24661: Unbounded Request Body Read in MS Teams Plugin {{/changes}} Webhook Endpoint

Vendor Mattermost
Product Mattermost
Weakness CWE-770 · Uncontrolled resource consumption
Published April 9, 2026
Last update April 9, 2026

CVSS base score

3.7/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

Mattermost Plugins versions <=2.1.3.0 fail to limit the request body size on the {{/changes}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00611

Key dates

02Disclosure timeline

April 9, 2026 CVE published
April 9, 2026 Record updated