CVE-2026-9571
5.9
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
Summary
Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to invalidate OAuth refresh tokens upon user account deactivation, which allows a deactivated user or an attacker in possession of a valid refresh token to obtain new functional access tokens via the OAuth refresh token grant endpoint.. Mattermost Advisory ID: MMSA-2026-00680
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Mattermost | Mattermost | 11.7.0 <= 11.7.2 | affected |
| Mattermost | Mattermost | 11.6.0 <= 11.6.4 | affected |
| Mattermost | Mattermost | 10.11.0 <= 10.11.19 | affected |
| Mattermost | Mattermost | 11.8.0 | unaffected |
| Mattermost | Mattermost | 11.7.3 | unaffected |
| Mattermost | Mattermost | 11.6.5 | unaffected |
| Mattermost | Mattermost | 10.11.20 | unaffected |
Weaknesses
- CWE-305: CWE-305 – Authentication Bypass by Primary Weakness
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.