CVE-2025-3230

EUVD-2025-16491
Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via continued usage of previously issued tokens.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
mattermostmattermost_server
9.11.0 ≤
𝑥
< 9.11.13
mattermostmattermost_server
10.5.0 ≤
𝑥
< 10.5.4
mattermostmattermost_server
10.6.0 ≤
𝑥
< 10.6.3
mattermostmattermost_server
10.7.0 ≤
𝑥
< 10.7.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://mattermost.com/security-updates