CVE-2026-25783
Discovered by AISLEPUBLISHEDCWE-1287
Description
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate User-Agent header tokens which allows an authenticated attacker to cause a request panic via a specially crafted User-Agent header. Mattermost Advisory ID: MMSA-2026-00586
CVSS Base Scores
CVSS v3.1(Primary)
4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Affected Products
| Vendor | Product | Version | Status |
|---|---|---|---|
| Mattermost | Mattermost | 11.3.0 | affected |
| Mattermost | Mattermost | 11.2.0 | unaffected |
| Mattermost | Mattermost | 10.11.0 | — |
| Mattermost | Mattermost | 11.4.0 | — |
| Mattermost | Mattermost | 11.3.1 | — |
| Mattermost | Mattermost | 11.2.3 | — |
| Mattermost | Mattermost | 10.11.11 | — |
Credits
- winfunc(finder)
Solutions
Update Mattermost to versions 11.4.0, 11.3.1, 11.2.3, 10.11.11 or higher.