Mattermost Server has Insufficient Session Expiration when used as an OAuth 2.0 service provider

GHSA-g24c-fx4v-xg9w · CVE-2017-18905 · GO-2026-4306

Published May 24, 2022 · Modified Feb 3, 2026

Description

An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when used as an OAuth 2.0 service provider, Session invalidation was mishandled.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2017-18905
WEB https://github.com/mattermost/mattermost/commit/15ad24d160cb4604d0605ebbfa53d11a57820706
WEB https://github.com/mattermost/mattermost/commit/b17fca0d5ee7557e3df1cf1d1da8bd749859e35f
WEB https://github.com/mattermost/mattermost/commit/fbc170733e86f09b46ba754dd03304733d2f482f
PACKAGE https://github.com/mattermost/mattermost
WEB https://mattermost.com/security-updates

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes