Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 don't limit the number of user preferences which allows an attacker to send a large number of user preferences potentially causing denial of service.

Affected Packages

Go github.com/mattermost/mattermost/server/v8

Affected versions: 8.1.0 (fixed in 8.1.11)

Go github.com/mattermost/mattermost/server/v8

Affected versions: 9.3.0 (fixed in 9.3.3)

Go github.com/mattermost/mattermost/server/v8

Affected versions: 9.4.0 (fixed in 9.4.4)

Go github.com/mattermost/mattermost/server/v8

Affected versions: 9.5.0 (fixed in 9.5.2)

Related CVEs

CVE-2024-28949

Key Information

GHSA ID

GHSA-mcw6-3256-64gg

Published

April 5, 2024 9:30 AM

Last Modified

December 13, 2024 3:51 PM

CVSS Score

5.0 /10

Primary Ecosystem

Primary Package

github.com/mattermost/mattermost/server/v8

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 2, 2025 6:46 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.