CVE-2026-24661

Description

Mattermost Plugins versions <=2.1.3.0 fail to limit the request body size on the { {/changes} } webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00611

References

• https://mattermost.com/security-updates