PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9571 Mattermost CVE debrief

CVE-2026-9571: Mattermost OAuth Refresh Token Invalidation. Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to invalidate OAuth refresh tokens upon user account deactivation. This allows a deactivated user or an attacker in possession of a valid refresh token to obtain new functional access tokens via the OAuth refresh token grant endpoint. The vulnerability has a CVSS score of 5.9 and is considered medium severity.

Vendor
Mattermost
Product
Unknown
CVSS
MEDIUM 5.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-13
Original CVE updated
2026-07-13
Advisory published
2026-07-13
Advisory updated
2026-07-13

Who should care

Users of Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 should be aware of this vulnerability. System administrators and security teams responsible for Mattermost deployments should review and update their systems to prevent exploitation.

Technical summary

Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to invalidate OAuth refresh tokens upon user account deactivation. This allows a deactivated user or an attacker in possession of a valid refresh token to obtain new functional access tokens via the OAuth refresh token grant endpoint. The issue is related to the OAuth refresh token grant endpoint and affects user account deactivation.

Defensive priority

Medium priority due to CVSS score of 5.9 and potential impact on user account security

Recommended defensive actions

  • Review and update Mattermost to a version that fixes the issue
  • Rotate and invalidate existing OAuth refresh tokens
  • Monitor for suspicious activity related to OAuth token usage
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

Evidence is based on the Mattermost Advisory ID: MMSA-2026-00680 and CVE-2026-9571 details from official sources. The vulnerability allows a deactivated user or an attacker with a valid refresh token to obtain new functional access tokens. This issue affects Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, and 10.11.x <= 10.11.19. Users should verify their deployments and consider the impact of this vulnerability.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T09:16:25.017Z and has not been modified since then.