Description
Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to invalidate OAuth refresh tokens upon user account deactivation, which allows a deactivated user or an attacker in possession of a valid refresh token to obtain new functional access tokens via the OAuth refresh token grant endpoint.. Mattermost Advisory ID: MMSA-2026-00680
Published: 2026-07-13
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in Mattermost’s handling of OAuth refresh tokens; when a user is deactivated the system does not clear or invalidate the associated refresh tokens. A deactivated account, or anyone who has obtained a valid refresh token, can repeatedly call the OAuth refresh token grant endpoint to receive new functional access tokens. The impact is the continued authorized access to Mattermost resources, potentially allowing a malicious actor to read or modify data as though the user were still active. This flaw is identified as CWE-305, reflecting a missing or improper privilege removal. The vulnerability can enable sustained access that compromises confidentiality and integrity of all data the token holder can reach. The description does not indicate denial of service or remote code execution, but it enables significant privilege misuse.

Affected Systems

Mattermost product lines are affected. Versions 11.7.x through 11.7.2, 11.6.x through 11.6.4, and 10.11.x through 10.11.19 fail to invalidate refresh tokens when a user account is deactivated. The vendor recommends upgrading to Mattermost 11.8.0, 11.7.3, 11.6.5, 10.11.20 or any higher version that includes the patch.

Risk and Exploitability

The CVSS score of 5.9 places the flaw in the Medium severity range, meaning it can be leveraged if an attacker can obtain a refresh token. The EPSS score is not available, so the current exploitation probability cannot be quantified, but the lack of token invalidation suggests a meaningful risk if a deactivation is performed without revoking tokens. The vulnerability is not listed in the CISA KEV catalog, indicating no confirmed large-scale exploits at the time of assessment. The likely attack vector is remote: an adversary can trigger the OAuth token endpoint over the network to renew access tokens, provided they have a valid refresh token or the target user’s credentials. No local privilege escalation or code execution is required.

Generated by OpenCVE AI on July 13, 2026 at 17:26 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.8.0, 11.7.3, 11.6.5, 10.11.20 or higher.


OpenCVE Recommended Actions

  • Apply the Mattermost patch to reach at least version 11.8.0, 11.7.3, 11.6.5, or 10.11.20 to ensure refresh tokens are invalidated upon account deactivation.
  • Immediately revoke all existing OAuth refresh tokens that may belong to deactivated users or have potentially been compromised; this limits further token issuance until the patch is applied.
  • If immediate patching is not feasible, disable the OAuth refresh token grant feature or force a system-wide revocation of all refresh tokens, then require users to reauthenticate, thereby preventing renewed token creation until the flaw is fixed.

Generated by OpenCVE AI on July 13, 2026 at 17:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
History

Mon, 13 Jul 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Mon, 13 Jul 2026 08:45:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to invalidate OAuth refresh tokens upon user account deactivation, which allows a deactivated user or an attacker in possession of a valid refresh token to obtain new functional access tokens via the OAuth refresh token grant endpoint.. Mattermost Advisory ID: MMSA-2026-00680
Title Deactivated user accounts can continue to obtain valid OAuth access tokens via refresh token grant in Mattermost
Weaknesses CWE-305
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N'}


Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-07-13T07:50:55.793Z

Reserved: 2026-05-26T11:52:27.228Z

Link: CVE-2026-9571

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-13T17:30:04Z

Weaknesses
  • CWE-305

    Authentication Bypass by Primary Weakness