PT-2026-57662 · Mattermost · Mattermost

Kirs112

·

Published

2026-07-13

·

Updated

2026-07-13

·

CVE-2026-9571

CVSS v3.1

5.9

Medium

VectorAV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions Mattermost versions 11.7.0 through 11.7.2 Mattermost versions 11.6.0 through 11.6.4 Mattermost versions 10.11.0 through 10.11.19
Description The software fails to invalidate OAuth refresh tokens when a user account is deactivated. This allows a deactivated user or an attacker with a valid refresh token to obtain new functional access tokens through the OAuth refresh token grant endpoint.
Recommendations Update Mattermost versions 11.7.0 through 11.7.2 to a version newer than 11.7.2. Update Mattermost versions 11.6.0 through 11.6.4 to a version newer than 11.6.4. Update Mattermost versions 10.11.0 through 10.11.19 to a version newer than 10.11.19.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-9571

Affected Products

Mattermost