{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3114", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2026-02-24T11:01:47.197Z", "datePublished": "2026-03-26T16:21:19.421Z", "dateUpdated": "2026-03-26T17:51:14.833Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mattermost", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "11.4.0", "status": "affected", "version": "11.4.0", "versionType": "semver"}, {"lessThanOrEqual": "11.3.1", "status": "affected", "version": "11.3.0", "versionType": "semver"}, {"lessThanOrEqual": "11.2.3", "status": "affected", "version": "11.2.0", "versionType": "semver"}, {"lessThanOrEqual": "10.11.11", "status": "affected", "version": "10.11.0", "versionType": "semver"}, {"version": "11.5.0", "status": "unaffected"}, {"version": "11.4.1", "status": "unaffected"}, {"version": "11.3.2", "status": "unaffected"}, {"version": "11.2.4", "status": "unaffected"}, {"version": "10.11.12", "status": "unaffected"}]}], "credits": [{"lang": "en", "type": "finder", "value": "winfunc"}], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to validate decompressed archive entry sizes during file extraction which allows authenticated users with file upload permissions to cause a denial of service via crafted zip archives containing highly compressed entries (zip bombs) that exhaust server memory.. Mattermost Advisory ID: MMSA-2026-00598"}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseSeverity": "MEDIUM", "baseScore": 6.5}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)", "cweId": "CWE-409"}]}], "references": [{"url": "https://mattermost.com/security-updates", "name": "MMSA-2026-00598", "tags": ["vendor-advisory"]}], "solutions": [{"value": "Update Mattermost to versions 11.5.0, 11.4.1, 11.3.2, 11.2.4, 10.11.12 or higher.", "lang": "en"}], "source": {"advisory": "MMSA-2026-00598", "defect": ["https://mattermost.atlassian.net/browse/MM-67378"], "discovery": "EXTERNAL"}, "title": "Zip Bomb Denial of Service via Unrestricted Archive Decompression", "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2026-03-26T16:21:19.421Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3114", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T17:37:33.825174Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T17:51:14.833Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3114", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T17:37:33.825174Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T17:47:26.384Z"}}], "cna": {"title": "Zip Bomb Denial of Service via Unrestricted Archive Decompression", "source": {"defect": ["https://mattermost.atlassian.net/browse/MM-67378"], "advisory": "MMSA-2026-00598", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "winfunc"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mattermost", "product": "Mattermost", "versions": [{"status": "affected", "version": "11.4.0", "versionType": "semver", "lessThanOrEqual": "11.4.0"}, {"status": "affected", "version": "11.3.0", "versionType": "semver", "lessThanOrEqual": "11.3.1"}, {"status": "affected", "version": "11.2.0", "versionType": "semver", "lessThanOrEqual": "11.2.3"}, {"status": "affected", "version": "10.11.0", "versionType": "semver", "lessThanOrEqual": "10.11.11"}, {"status": "unaffected", "version": "11.5.0"}, {"status": "unaffected", "version": "11.4.1"}, {"status": "unaffected", "version": "11.3.2"}, {"status": "unaffected", "version": "11.2.4"}, {"status": "unaffected", "version": "10.11.12"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update Mattermost to versions 11.5.0, 11.4.1, 11.3.2, 11.2.4, 10.11.12 or higher."}], "references": [{"url": "https://mattermost.com/security-updates", "name": "MMSA-2026-00598", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to validate decompressed archive entry sizes during file extraction which allows authenticated users with file upload permissions to cause a denial of service via crafted zip archives containing highly compressed entries (zip bombs) that exhaust server memory.. Mattermost Advisory ID: MMSA-2026-00598"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-409", "description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2026-03-26T16:21:19.421Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3114", "state": "PUBLISHED", "dateUpdated": "2026-03-26T17:51:14.833Z", "dateReserved": "2026-02-24T11:01:47.197Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2026-03-26T16:21:19.421Z", "assignerShortName": "Mattermost"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to validate decompressed archive entry sizes during file extraction which allows authenticated users with file upload permissions to cause a denial of service via crafted zip archives containing highly compressed entries (zip bombs) that exhaust server memory.. Mattermost Advisory ID: MMSA-2026-00598"}, {"lang": "es", "value": "Las versiones de Mattermost 11.4.x &lt;= 11.4.0, 11.3.x &lt;= 11.3.1, 11.2.x &lt;= 11.2.3, 10.11.x &lt;= 10.11.11 no validan los tama\u00f1os de las entradas de archivo descomprimidas durante la extracci\u00f3n de archivos, lo que permite a usuarios autenticados con permisos de carga de archivos causar una denegaci\u00f3n de servicio mediante archivos zip manipulados que contienen entradas altamente comprimidas (bombas zip) que agotan la memoria del servidor. ID de aviso de Mattermost: MMSA-2026-00598"}], "id": "CVE-2026-3114", "lastModified": "2026-03-30T13:26:50.827", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-03-26T17:16:42.480", "references": [{"source": "[email protected]", "url": "https://mattermost.com/security-updates"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-409"}], "source": "[email protected]", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.4.0,11.4.0]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.3.0,11.3.1]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.2.0,11.2.3]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[10.11.0,10.11.11]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "11.5.0"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "11.4.1"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "11.3.2"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "11.2.4"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "10.11.12"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Mattermost", "source": "cna", "vendor": "Mattermost"}, "product": "mattermost", "vendor": "mattermost"}], "analysis": {"en": {"generated_at": "2026-03-26T17:23:53.222389+00:00", "value": {"mitigation_remediation": ["Update Mattermost to any release newer than 11.4.1, 11.3.2, 11.2.4, or 10.11.12 as provided by the vendor.", "If an immediate update is not possible, restrict or disable file upload permissions for non\u2011trusted users to prevent zip bomb uploads. ", "Verify that any custom plugins or extensions do not bypass the built\u2011in archive decompression limits."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service via archive compression exploitation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Mattermost teams running versions 11.4.x up to 11.4.0, 11.3.x up to 11.3.1, 11.2.x up to 11.2.3, and 10.11.x up to 10.11.11. Any installation of Mattermost in these version ranges that allows authenticated users to upload documents is susceptible.", "description_and_impact": "Mattermost versions prior to 11.4.1, 11.3.2, 11.2.4, and 10.11.12 fail to check sizes of files extracted from archives. An authenticated user who can upload files can craft a ZIP archive containing extremely small compressed entries, known as a zip bomb, which when decompressed consumes excessive server memory and results in the service becoming unavailable. The attacker would gain temporary denial of service and potentially impact availability of the platform for all users. The weakness corresponds to uncontrolled resource consumption (CWE\u2011409).", "risk_and_exploitability": "The CVSS score of 6.5 indicates medium severity. No EPSS data is available, and the vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is authenticated remote with file upload permissions; the attacker initiates the exploit by uploading a crafted zip file, triggering memory exhaustion during automatic extraction. The available patch mitigates the issue, and without remediation the risk remains moderate to high for exposed deployments."}}}}, "created": "2026-03-27T08:33:56.776060+00:00", "updated": "2026-03-27T09:26:23.102933+00:00", "vendors": ["mattermost", "mattermost$PRODUCT$mattermost"]}