CVE-2026-4635 Overview
CVE-2026-4635 is a race condition vulnerability in Mattermost Server that allows an authenticated user to crash the server. The flaw exists in the persistent notification handling logic, where the server removes existing persistent notifications before archiving the channel. An attacker can time the creation of a new persistent notification message to land between these two operations, triggering a server crash. The issue is tracked under Mattermost Advisory MMSA-2026-00637 and is classified as a concurrent execution flaw [CWE-362].
Critical Impact
Authenticated users can crash the Mattermost server through precise timing of persistent notification messages, causing service unavailability for all users.
Affected Products
- Mattermost Server 11.6.x <= 11.6.0
- Mattermost Server 11.5.x <= 11.5.3
- Mattermost Server 11.4.x <= 11.4.4 and 10.11.x <= 10.11.14
Discovery Timeline
- 2026-05-22 - CVE-2026-4635 published to NVD
- 2026-05-22 - Last updated in NVD database
Technical Details for CVE-2026-4635
Vulnerability Analysis
The vulnerability is a race condition between two non-atomic operations in the channel archiving workflow. When a channel is archived, Mattermost first deletes existing persistent notifications and then archives the channel. These steps are not protected by a single transaction or lock. An authenticated user with permission to post in the channel can submit a new persistent notification message in the narrow window between deletion and archival. The resulting state inconsistency causes the server process to crash, producing a denial of service condition affecting all users of the deployment.
Root Cause
The root cause is improper synchronization of shared resources during channel archival, mapped to [CWE-362] (Concurrent Execution using Shared Resource with Improper Synchronization). The persistent notification cleanup and the channel archive operation execute as separate steps. No mutual exclusion mechanism prevents new persistent notifications from being created in between. The server later operates on an unexpected state and terminates.
Attack Vector
Exploitation requires network access to the Mattermost API and a valid authenticated session with permission to post persistent notifications in the targeted channel. The attacker must repeatedly trigger persistent notification creation while a channel archive operation is in progress. Successful timing produces a server crash. The attack does not affect confidentiality or integrity but yields a high availability impact, consistent with the CVSS vector.
No public proof-of-concept exploit is currently available. The EPSS score is 0.042% at the 13.245 percentile, indicating low predicted exploitation activity.
Detection Methods for CVE-2026-4635
Indicators of Compromise
- Unexpected Mattermost server process termination or panic entries in application logs coinciding with channel archive operations.
- Repeated POST requests to persistent notification endpoints from a single authenticated session immediately preceding a channel archive event.
- Recurring server restarts or container respawns without corresponding administrative actions.
Detection Strategies
- Monitor Mattermost application logs for stack traces and panic messages emitted during channel archival workflows.
- Correlate channel archive audit events with persistent notification creation events occurring within milliseconds of each other.
- Track abnormal rates of persistent notification creation by individual users against the same channel.
Monitoring Recommendations
- Forward Mattermost server logs and audit events to a centralized logging or SIEM platform for correlation.
- Alert on Mattermost service restarts or unhealthy container states detected by orchestration platforms.
- Review per-user activity baselines to identify accounts generating disproportionate persistent notification volume.
How to Mitigate CVE-2026-4635
Immediate Actions Required
- Upgrade Mattermost Server to a patched release listed in the Mattermost Security Updates advisory.
- Audit user accounts and revoke unnecessary channel posting privileges to reduce the population of users capable of triggering the race.
- Enable automatic process supervision so the server restarts cleanly if a crash occurs before patching is complete.
Patch Information
Mattermost has issued fixed versions addressing MMSA-2026-00637. Administrators should upgrade beyond the vulnerable releases: 11.6.0, 11.5.3, 11.4.4, and 10.11.14. Refer to the Mattermost Security Updates page for the current fixed version list and upgrade instructions.
Workarounds
- Restrict channel archival permissions to a minimal set of trusted administrators until the patch is applied.
- Disable or limit persistent notification usage in channels that are candidates for archival.
- Implement rate limiting at the reverse proxy for persistent notification API endpoints to reduce the probability of winning the race.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
