PT-2026-57662 · Mattermost · Mattermost
Kirs112
·
Published
2026-07-13
·
Updated
2026-07-13
·
CVE-2026-9571
CVSS v3.1
5.9
Medium
| Vector | AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Mattermost versions 11.7.0 through 11.7.2
Mattermost versions 11.6.0 through 11.6.4
Mattermost versions 10.11.0 through 10.11.19
Description
The software fails to invalidate OAuth refresh tokens when a user account is deactivated. This allows a deactivated user or an attacker with a valid refresh token to obtain new functional access tokens through the OAuth refresh token grant endpoint.
Recommendations
Update Mattermost versions 11.7.0 through 11.7.2 to a version newer than 11.7.2.
Update Mattermost versions 11.6.0 through 11.6.4 to a version newer than 11.6.4.
Update Mattermost versions 10.11.0 through 10.11.19 to a version newer than 10.11.19.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mattermost