Session Management Vulnerability in Mattermost by Mattermost Inc.
CVE-2026-9597
5.4MEDIUM
What is CVE-2026-9597?
Mattermost versions 11.7.x up to 11.7.2 and 11.6.x up to 11.6.4 are susceptible to a session management vulnerability. This flaw arises when the system fails to verify whether a guest account is deactivated before granting access through a magic-link token login process. Consequently, a deactivated guest user can leverage an issued magic-link token, compromising the integrity of user session management and enabling unauthorized access.
Affected Version(s)
Mattermost 11.7.0 <= 11.7.2
Mattermost 11.6.0 <= 11.6.4
Mattermost 11.8.0