CVE-2026-21388

Description

Mattermost Plugins versions <=2.3.1 fail to limit the request body size on the { {/lifecycle} } webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00610

References

• https://mattermost.com/security-updates