CVE-2026-2455

Aliases:GHSA-gqv7-j2j8-qmwqGO-2026-4746
Advisory lineage Upstream: 0 Downstream: 1
Analyzed
Published: 16 Mar 2026, 14:53
Last modified:16 Mar 2026, 18:38

Vulnerability Summary

Overall Risk (default)
low
17/100
CVSS Score
4.3 MEDIUM
v3.1 (cve.org)
EPSS Score
0.04% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

16 Mar 2026, 14:53
Published
Vulnerability first disclosed
16 Mar 2026, 18:38
Last Modified
Vulnerability information updated

Description

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation which allows an attacker to perform SSRF attacks against internal services via IPv4-mapped IPv6 literals (e.g., [::ffff:127.0.0.1]).. Mattermost Advisory ID: MMSA-2026-00585

CVSS Metrics

  • v3.1MEDIUMScore: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS Trends

Current EPSS score: 0.04% Percentile: 12%

Techniques & Countermeasures

  • CWE-918Server-Side Request Forgery (SSRF)

    The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Affected Systems

  • github.com/mattermostmattermost-server

    ≥ 11.3.0-rc1+incompatible, < 11.3.1+incompatible | < 5.3.2-0.20260129133647-5d787969c2d5 | ≥ 10.11.0-rc1, < 10.11.11 | ≥ 11.2.0-rc1, < 11.2.3 | ≥ 11.3.0-rc1, < 11.3.1

  • github.com/mattermost/mattermost-serverv5

    all

  • github.com/mattermost/mattermost-serverv6

    all

  • github.com/mattermost/mattermost/serverv8

    < 8.0.0-20260129133647-5d787969c2d5

  • mattermostmattermost

    11.3.0 | ≥ 11.2.0, ≤ 11.2.2 | ≥ 10.11.0, ≤ 10.11.10

  • mattermostmattermost_server

    ≥ 10.11.0, < 10.11.11 | ≥ 11.2.0, < 11.2.3 | ≥ 11.3.0, < 11.3.1

References (5)