CVE-2024-4183

Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 fail to limit the number of active sessions, which allows an authenticated attacker to crash the server via repeated requests to the getSessions API after flooding the sessions table.

Published: Apr 26, 2024
Updated: May 4, 2025
CVE: CVE-2024-4183
GHSA: GHSA-wj37-mpq9-xrcm
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWEs:

CWE-400
CWE-770

Affected Software
References

Software	From	Fixed in
github.com/mattermost/mattermost-server	9.6.0-rc1	9.6.1
github.com/mattermost/mattermost-server	9.5.0	9.5.3
github.com/mattermost/mattermost-server	9.4.0	9.4.5
github.com/mattermost/mattermost-server	8.1.0	8.1.12
mattermost / mattermost_server	8.1.0	8.1.12
mattermost / mattermost_server	9.5.0	9.5.3
mattermost / mattermost_server	9.4.0	9.4.5
mattermost / mattermost_server	9.6.0	9.6.1

https://github.com/mattermost/mattermost/commit/86920d641760552c5aafa5e1d14c93bd30039bc4
https://github.com/mattermost/mattermost/commit/9d81eee979aee93374bff8ba6714d805e12ffb03
https://github.com/mattermost/mattermost/commit/b45c3dac4c160992a1ce757ade968e8f5ec506c1
https://github.com/mattermost/mattermost/commit/bc699e6789cf3ba1544235087897699aaa639e7d
https://mattermost.com/security-updates

Vulnerability Database

290,020

CVE-2024-4183