Mattermost fails to properly invalidate personal access tokens upon user deactivation
Moderate severity
GitHub Reviewed
Published
May 30, 2025
to the GitHub Advisory Database
•
Updated May 30, 2025
Package
Affected versions
>= 10.7.0-rc1, < 10.7.1
>= 10.6.0-rc1, < 10.6.3
>= 10.0.0-rc1, < 10.5.4
>= 9.0.0-rc1, < 9.11.13
< 8.0.0-20250402193107-65343f84a783
Patched versions
10.7.1
10.6.3
10.5.4
9.11.13
8.0.0-20250402193107-65343f84a783
Description
Published by the National Vulnerability Database
May 30, 2025
Published to the GitHub Advisory Database
May 30, 2025
Reviewed
May 30, 2025
Last updated
May 30, 2025
Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via continued usage of previously issued tokens.
References