Mattermost doesn't limit the size of the request body on the start meeting API endpoint
Moderate severity
GitHub Reviewed
Published
May 18, 2026
to the GitHub Advisory Database
•
Updated Jun 1, 2026
Package
Affected versions
< 1.1.1-0.20260213105619-c5892dd169de
Patched versions
1.1.1-0.20260213105619-c5892dd169de
>= 11.5.0, < 11.5.2
>= 10.11.0, < 10.11.14
>= 11.4.0, < 11.4.4
11.5.2
10.11.14
11.4.4
Description
Published by the National Vulnerability Database
May 18, 2026
Published to the GitHub Advisory Database
May 18, 2026
Last updated
Jun 1, 2026
Reviewed
Jun 1, 2026
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to limit the size of the request body on the start meeting API endpoint, which allows an authenticated attacker to cause resource exhaustion or denial of service via a crafted oversized HTTP POST request to {{/api/v1/meetings}}.. Mattermost Advisory ID: MMSA-2026-00608
References