Mattermost fails to properly invalidate personal access tokens upon user deactivation

GHSA-mc2f-jgj6-6cp3 · CVE-2025-3230 · GO-2025-3731

Published May 30, 2025 · Modified Jun 3, 2025

Description

Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via continued usage of previously issued tokens.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-3230
WEB https://github.com/mattermost/mattermost/commit/65343f84a7830fa8078fe3df879fca924e4fac01
PACKAGE https://github.com/mattermost/mattermost
WEB https://mattermost.com/security-updates

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes