OAuth Token Security Flaw in Mattermost by Mattermost
CVE-2026-9571

5.9MEDIUM

Key Information:

Vendor

Mattermost

Vendor
CVE Published:
13 July 2026

What is CVE-2026-9571?

Mattermost versions 11.7.x through 11.7.2, 11.6.x through 11.6.4, and 10.11.x through 10.11.19 exhibit a vulnerability where OAuth refresh tokens are not invalidated when a user account is deactivated. This oversight allows deactivated users or malicious actors holding a valid refresh token to obtain new functional access tokens through the OAuth refresh token grant endpoint, potentially compromising the security of the system.

Affected Version(s)

Mattermost 11.7.0 <= 11.7.2

Mattermost 11.6.0 <= 11.6.4

Mattermost 10.11.0 <= 10.11.19

References

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

kirs112
.