OAuth Token Security Flaw in Mattermost by Mattermost
CVE-2026-9571
5.9MEDIUM
What is CVE-2026-9571?
Mattermost versions 11.7.x through 11.7.2, 11.6.x through 11.6.4, and 10.11.x through 10.11.19 exhibit a vulnerability where OAuth refresh tokens are not invalidated when a user account is deactivated. This oversight allows deactivated users or malicious actors holding a valid refresh token to obtain new functional access tokens through the OAuth refresh token grant endpoint, potentially compromising the security of the system.
Affected Version(s)
Mattermost 11.7.0 <= 11.7.2
Mattermost 11.6.0 <= 11.6.4
Mattermost 10.11.0 <= 10.11.19