CVE-2026-9571 in Mattermost
Summary
by MITRE • 07/13/2026
Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to invalidate OAuth refresh tokens upon user account deactivation, which allows a deactivated user or an attacker in possession of a valid refresh token to obtain new functional access tokens via the OAuth refresh token grant endpoint.. Mattermost Advisory ID: MMSA-2026-00680
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/13/2026
This vulnerability represents a critical authorization flaw in Mattermost's OAuth implementation that directly violates fundamental security principles governing token lifecycle management. The issue affects multiple version streams including 11.7.x through 11.7.2, 11.6.x through 11.6.4, and 10.11.x through 10.11.19, indicating a widespread problem that has persisted across several releases. The root cause lies in the failure to properly invalidate OAuth refresh tokens when user accounts are deactivated, creating a persistent access vector that undermines the intended security boundaries of the authentication system. This flaw directly maps to CWE-613, which addresses insufficient session management and improper handling of authentication tokens upon user state changes.
The technical exploitation of this vulnerability occurs through a straightforward but dangerous mechanism where deactivated users or attackers with valid refresh tokens can continuously generate new access tokens by submitting refresh token grant requests to the OAuth endpoint. This behavior violates the principle of least privilege and demonstrates a critical failure in access control enforcement, as the system fails to recognize that user deactivation should immediately terminate all active authentication sessions and associated token grants. The vulnerability essentially creates a backdoor where revoked credentials can continue to function indefinitely, enabling unauthorized access to protected resources long after user accounts should have been terminated.
The operational impact of this vulnerability extends beyond simple unauthorized access, as it enables persistent threat actor presence within organizations using affected Mattermost versions. Attackers who obtain refresh tokens through various means such as credential theft, insider threats, or compromised applications can maintain access to communication channels, team resources, and sensitive data without detection. This particularly affects organizations that rely on Mattermost for secure collaboration, as the vulnerability undermines trust in the system's ability to enforce user lifecycle management. The implications are especially severe in environments where privileged accounts are deactivated but not immediately removed from the system, as these accounts could continue to be exploited long after their intended access should have been revoked.
Organizations should implement immediate mitigations including updating to patched versions of Mattermost where available, implementing additional monitoring for OAuth token usage patterns, and establishing more robust account deactivation procedures that include manual token invalidation. Security teams should also consider implementing automated processes to invalidate tokens upon user deactivation and establish regular audits of active OAuth sessions. From an ATT&CK perspective, this vulnerability relates to T1566 (Phishing) and T1078 (Valid Accounts) where threat actors can leverage stolen or compromised refresh tokens to maintain persistent access. The vulnerability also intersects with T1531 (Account Access Removal) as it prevents proper enforcement of account deactivation procedures and represents a failure in privileged access management controls that should be enforced at the authentication layer.