Impact
The vulnerability resides in Mattermost’s handling of OAuth refresh tokens; when a user is deactivated the system does not clear or invalidate the associated refresh tokens. A deactivated account, or anyone who has obtained a valid refresh token, can repeatedly call the OAuth refresh token grant endpoint to receive new functional access tokens. The impact is the continued authorized access to Mattermost resources, potentially allowing a malicious actor to read or modify data as though the user were still active. This flaw is identified as CWE-305, reflecting a missing or improper privilege removal. The vulnerability can enable sustained access that compromises confidentiality and integrity of all data the token holder can reach. The description does not indicate denial of service or remote code execution, but it enables significant privilege misuse.
Affected Systems
Mattermost product lines are affected. Versions 11.7.x through 11.7.2, 11.6.x through 11.6.4, and 10.11.x through 10.11.19 fail to invalidate refresh tokens when a user account is deactivated. The vendor recommends upgrading to Mattermost 11.8.0, 11.7.3, 11.6.5, 10.11.20 or any higher version that includes the patch.
Risk and Exploitability
The CVSS score of 5.9 places the flaw in the Medium severity range, meaning it can be leveraged if an attacker can obtain a refresh token. The EPSS score is not available, so the current exploitation probability cannot be quantified, but the lack of token invalidation suggests a meaningful risk if a deactivation is performed without revoking tokens. The vulnerability is not listed in the CISA KEV catalog, indicating no confirmed large-scale exploits at the time of assessment. The likely attack vector is remote: an adversary can trigger the OAuth token endpoint over the network to renew access tokens, provided they have a valid refresh token or the target user’s credentials. No local privilege escalation or code execution is required.
OpenCVE Enrichment