CVE-2026-24661 Unbounded Request Body Read in MS Teams Plugin {{/changes}} Webhook Endpoint

Mattermost Plugins versions =2.1.3.0 fail to limit the request body size on the /changes webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00611...

PT-2026-31604

Name of the Vulnerable Software and Affected Versions Mattermost Plugins versions less than or equal to 2.1.3.0 Description Mattermost Plugins versions less than or equal to 2.1.3.0 do not limit the request body size on the /changes webhook endpoint. This allows an authenticated attacker to cause...