CVE-2025-3230

Summary

Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via continued usage of previously issued tokens.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost10.7.0affected
MattermostMattermost10.6.0 <= 10.6.2affected
MattermostMattermost10.5.0 <= 10.5.3affected
MattermostMattermost9.11.0 <= 9.11.12affected
MattermostMattermost10.8.0unaffected
MattermostMattermost10.7.1unaffected
MattermostMattermost10.6.3unaffected
MattermostMattermost10.5.4unaffected
MattermostMattermost9.11.13unaffected

Weaknesses

  • CWE-303: CWE-303: Incorrect Implementation of Authentication Algorithm

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References