CVE-2026-9571
Received Received - Intake

OAuth Token Persistence in Mattermost After Account Deactivation

Vulnerability report for CVE-2026-9571, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: Mattermost, Inc.

Description

Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to invalidate OAuth refresh tokens upon user account deactivation, which allows a deactivated user or an attacker in possession of a valid refresh token to obtain new functional access tokens via the OAuth refresh token grant endpoint.. Mattermost Advisory ID: MMSA-2026-00680

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
mattermost mattermost to 11.7.2 (inc)
mattermost mattermost to 11.6.4 (inc)
mattermost mattermost to 10.11.19 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-305 The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, you should upgrade Mattermost to a version later than 11.7.2, 11.6.4, or 10.11.19, depending on your current version series, as these versions fail to invalidate OAuth refresh tokens upon user account deactivation.

Additionally, monitor Mattermost security updates and advisories to stay informed about patches and fixes.

Impact Analysis

The vulnerability allows unauthorized access to the system by enabling a deactivated user or an attacker with a valid refresh token to continue obtaining new access tokens.

This can lead to unauthorized access to sensitive information and potentially compromise the confidentiality and integrity of the affected Mattermost environment.

Executive Summary

This vulnerability affects certain versions of Mattermost (11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19) where OAuth refresh tokens are not invalidated when a user account is deactivated.

Because the refresh tokens remain valid, a deactivated user or an attacker who has a valid refresh token can use it to obtain new access tokens through the OAuth refresh token grant endpoint.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9571. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart