CVE-2026-9597 in Mattermost
Summary
by MITRE • 07/13/2026
Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4 fail to verify whether a guest account is deactivated before creating a session in the magic-link token login path, which allows a deactivated guest user to obtain a fully functional session via a magic-link token issued prior to deactivation.. Mattermost Advisory ID: MMSA-2026-00681
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/14/2026
This vulnerability represents a critical session management flaw in Mattermost's authentication system that directly impacts the security of guest user accounts. The issue occurs specifically within the magic-link token login pathway where the system fails to validate the active status of guest accounts before establishing a new session. This oversight creates a persistent security gap that allows attackers to exploit previously issued magic-link tokens even after the corresponding guest account has been deactivated by administrators.
The technical flaw stems from inadequate access control validation during the authentication process. When a guest user receives a magic-link token, the system should verify that the account remains active and authorized before proceeding with session creation. However, Mattermost versions 11.7.x through 11.7.2 and 11.6.x through 11.6.4 bypass this crucial validation step, enabling unauthorized access through expired credentials. This behavior violates fundamental security principles outlined in CWE-613, which addresses inadequate session management and improper validation of session tokens.
The operational impact of this vulnerability extends beyond simple unauthorized access to potentially enable persistent threats against organizations using Mattermost's guest user functionality. Deactivated guest accounts typically should not be able to access system resources after their deactivation, but this flaw allows attackers to maintain access through previously issued tokens. This creates a window of opportunity for malicious actors to perform actions within the system that they would otherwise be restricted from doing, potentially leading to data exposure, privilege escalation, or other security breaches.
From an adversarial perspective, this vulnerability aligns with ATT&CK technique T1566.002 which covers phishing with malicious links, as attackers could exploit the magic-link functionality to maintain access even after account deactivation. The flaw also relates to privilege escalation techniques since deactivated accounts should have no valid session tokens, yet the system permits continued access through cached or previously issued tokens.
Organizations using affected Mattermost versions should immediately implement mitigations including updating to patched releases where available, implementing additional session validation controls, and monitoring for suspicious authentication patterns. Administrators should also consider revoking magic-link tokens for deactivated users through manual intervention processes until the software is updated with proper account status verification. The vulnerability demonstrates the critical importance of maintaining proper access control validation throughout all authentication pathways, particularly in systems that handle guest user accounts where temporary access needs careful management and monitoring.
This issue highlights how seemingly minor oversights in session management can create significant security risks in collaborative platforms that rely on token-based authentication mechanisms. The vulnerability represents a failure to implement proper account lifecycle management within the authentication flow, creating persistent access paths that bypass expected security controls. Organizations should conduct thorough audits of their authentication systems to identify similar gaps in account status verification and session validation processes across all platform components.