Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation
Moderate severity
GitHub Reviewed
Published
Mar 16, 2026
to the GitHub Advisory Database
•
Updated Mar 18, 2026
Package
Affected versions
< 5.3.2-0.20260129133647-5d787969c2d5
>= 10.11.0-rc1, < 10.11.11
>= 11.2.0-rc1, < 11.2.3
>= 11.3.0-rc1, < 11.3.1
Patched versions
5.3.2-0.20260129133647-5d787969c2d5
10.11.11
11.2.3
11.3.1
< 8.0.0-20260129133647-5d787969c2d5
8.0.0-20260129133647-5d787969c2d5
Description
Published by the National Vulnerability Database
Mar 16, 2026
Published to the GitHub Advisory Database
Mar 16, 2026
Reviewed
Mar 18, 2026
Last updated
Mar 18, 2026
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation which allows an attacker to perform SSRF attacks against internal services via IPv4-mapped IPv6 literals (e.g., [::ffff:127.0.0.1]).. Mattermost Advisory ID: MMSA-2026-00585
References