CVE-2026-4635 MEDIUM

CVE-2026-4635: Persistent notification timing attack causing server denial of service

Vendor Mattermost
Product Mattermost
Weakness CWE-362
Published May 22, 2026
Last update May 22, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to archive the channel before removing persistent notifications which allows authenticated user to crash the server via timing the creation of persistent notification message between the server deleting existing persistent notifications and archiving the channel.. Mattermost Advisory ID: MMSA-2026-00637

Key dates

02Disclosure timeline

May 22, 2026 CVE published
May 22, 2026 Record updated