Impact
Mattermost versions 11.7.x through 10.11.x fail to invalidate the cached authentication state for active WebSocket connections when a global session revocation event occurs. As a result, a user who already has an open WebSocket connection remains authenticated and continues to receive real‑time updates until the cached session expires or the client reconnects. This gives an attacker with a valid session the ability to maintain a privileged connection beyond the intended revocation period, potentially exposing sensitive data or allowing continued interaction with the system.
Affected Systems
Affected systems are Mattermost installations running the following versions: 11.7.0 and earlier, 11.6.2 and earlier, 11.5.5 and earlier, and 10.11.17 and earlier. The issue is present only in the mentioned releases and not in newer Mattermost releases.
Risk and Exploitability
The CVSS score is 4.3, which places the vulnerability in the moderate range. EPSS data is not available and the vulnerability is not listed in the current CISA KEV catalog. Exploitation requires that an attacker already has an active WebSocket session when a global revocation is performed. The attacker can then maintain authenticated activity until the session cache naturally expires or the client side reconnects, providing an unintentional persistence of access.
OpenCVE Enrichment