Headline
GHSA-mc2f-jgj6-6cp3: Mattermost fails to properly invalidate personal access tokens upon user deactivation
Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via continued usage of previously issued tokens.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-3230
Mattermost fails to properly invalidate personal access tokens upon user deactivation
Moderate severity GitHub Reviewed Published May 30, 2025 to the GitHub Advisory Database • Updated May 30, 2025
Package
gomod github.com/mattermost/mattermost/server/v8 (Go)
Affected versions
>= 10.7.0-rc1, < 10.7.1
>= 10.6.0-rc1, < 10.6.3
>= 10.0.0-rc1, < 10.5.4
>= 9.0.0-rc1, < 9.11.13
< 8.0.0-20250402193107-65343f84a783
Patched versions
10.7.1
10.6.3
10.5.4
9.11.13
8.0.0-20250402193107-65343f84a783
Published to the GitHub Advisory Database
May 30, 2025
Last updated
May 30, 2025