Description
Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4 fail to verify whether a guest account is deactivated before creating a session in the magic-link token login path, which allows a deactivated guest user to obtain a fully functional session via a magic-link token issued prior to deactivation.. Mattermost Advisory ID: MMSA-2026-00681
Published: 2026-07-13
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mattermost versions 11.7.0 to 11.7.2 and 11.6.0 to 11.6.4 allow a deactivated guest account to create a valid session via the magic‑link login path because the system fails to validate the account’s deactivation status. As a result, an attacker who possesses a magic‑link token issued before deactivation can gain full access to the guest account’s functionality. This flaw is a classic example of improper authorization (CWE‑305) and enables unauthorized use of the system without requiring additional privileges.

Affected Systems

The affected product is Mattermost. The vulnerability exists in the REST API login endpoint of Mattermost versions 11.7.x up to and including 11.7.2 and 11.6.x up to and including 11.6.4. Other versions are not affected.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. The EPSS score is not available, so the likelihood of exploitation is uncertain. The vulnerability is not listed in CISA KEV, suggesting no known zero‑day exploitation. Likely exploitation requires remote access to the API and possession of a previously‑issued magic‑link token; the attack vector is remote and involves no privilege escalation beyond the guest account’s permissions.

Generated by OpenCVE AI on July 13, 2026 at 17:23 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.8.0, 11.7.3, 11.6.5 or higher.


OpenCVE Recommended Actions

  • Apply the vendor‑issued patch that updates Mattermost to version 11.8.0, 11.7.3, 11.6.5 or higher.
  • If immediate patching is not possible, disable the magic‑link login feature for guest accounts or restrict it so that only active accounts can retrieve or use magic‑link tokens.
  • Revoke all existing magic‑link tokens that were issued to guest accounts before or during deactivation, and monitor for any unauthorized sessions or anomalous activity.

Generated by OpenCVE AI on July 13, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
History

Mon, 13 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 13 Jul 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Mon, 13 Jul 2026 08:45:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4 fail to verify whether a guest account is deactivated before creating a session in the magic-link token login path, which allows a deactivated guest user to obtain a fully functional session via a magic-link token issued prior to deactivation.. Mattermost Advisory ID: MMSA-2026-00681
Title Deactivated guest accounts can authenticate via magic-link token in Mattermost REST API login endpoint
Weaknesses CWE-305
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}


Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-07-13T13:55:15.448Z

Reserved: 2026-05-26T15:15:14.343Z

Link: CVE-2026-9597

cve-icon Vulnrichment

Updated: 2026-07-13T13:55:11.951Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-13T17:30:04Z

Weaknesses
  • CWE-305

    Authentication Bypass by Primary Weakness