Home

Description

Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to invalidate OAuth refresh tokens upon user account deactivation, which allows a deactivated user or an attacker in possession of a valid refresh token to obtain new functional access tokens via the OAuth refresh token grant endpoint.. Mattermost Advisory ID: MMSA-2026-00680

PUBLISHED Reserved 2026-05-26 | Published 2026-07-13 | Updated 2026-07-14 | Assigner Mattermost




MEDIUM: 5.9CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

Problem types

CWE-305 – Authentication Bypass by Primary Weakness

Product status

Default status
unaffected

11.7.0 (semver)
affected

11.6.0 (semver)
affected

10.11.0 (semver)
affected

11.8.0
unaffected

11.7.3
unaffected

11.6.5
unaffected

10.11.20
unaffected

Credits

kirs112 finder

References

mattermost.com/security-updates (MMSA-2026-00680) vendor-advisory

cve.org (CVE-2026-9571)

nvd.nist.gov (CVE-2026-9571)

Download JSON