Session Management Vulnerability in Mattermost by Mattermost Inc.
CVE-2026-9597

5.4MEDIUM

Key Information:

Vendor

Mattermost

Vendor
CVE Published:
13 July 2026

What is CVE-2026-9597?

Mattermost versions 11.7.x up to 11.7.2 and 11.6.x up to 11.6.4 are susceptible to a session management vulnerability. This flaw arises when the system fails to verify whether a guest account is deactivated before granting access through a magic-link token login process. Consequently, a deactivated guest user can leverage an issued magic-link token, compromising the integrity of user session management and enabling unauthorized access.

Affected Version(s)

Mattermost 11.7.0 <= 11.7.2

Mattermost 11.6.0 <= 11.6.4

Mattermost 11.8.0

References

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

alimursaliyev
.