PatchSiren cyber security CVE debrief
CVE-2026-9571 Mattermost CVE debrief
CVE-2026-9571: Mattermost OAuth Refresh Token Invalidation. Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to invalidate OAuth refresh tokens upon user account deactivation. This allows a deactivated user or an attacker in possession of a valid refresh token to obtain new functional access tokens via the OAuth refresh token grant endpoint. The vulnerability has a CVSS score of 5.9 and is considered medium severity.
- Vendor
- Mattermost
- Product
- Unknown
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-13
- Original CVE updated
- 2026-07-13
- Advisory published
- 2026-07-13
- Advisory updated
- 2026-07-13
Who should care
Users of Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 should be aware of this vulnerability. System administrators and security teams responsible for Mattermost deployments should review and update their systems to prevent exploitation.
Technical summary
Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to invalidate OAuth refresh tokens upon user account deactivation. This allows a deactivated user or an attacker in possession of a valid refresh token to obtain new functional access tokens via the OAuth refresh token grant endpoint. The issue is related to the OAuth refresh token grant endpoint and affects user account deactivation.
Defensive priority
Medium priority due to CVSS score of 5.9 and potential impact on user account security
Recommended defensive actions
- Review and update Mattermost to a version that fixes the issue
- Rotate and invalidate existing OAuth refresh tokens
- Monitor for suspicious activity related to OAuth token usage
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
Evidence is based on the Mattermost Advisory ID: MMSA-2026-00680 and CVE-2026-9571 details from official sources. The vulnerability allows a deactivated user or an attacker with a valid refresh token to obtain new functional access tokens. This issue affects Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, and 10.11.x <= 10.11.19. Users should verify their deployments and consider the impact of this vulnerability.
Official resources
-
CVE-2026-9571 CVE record
CVE.org
-
CVE-2026-9571 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T09:16:25.017Z and has not been modified since then.