CVE-2025-3230 — Incorrect Implementation of Authentication Algorithm in Mattermost Mattermost-server

CWE-303 — Incorrect Implementation of Authentication Algorithm5 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

0.2%

top 58.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server Github.com Mattermost Mattermost Server V8 Mattermost Server +1 more

Timeline

PublishedMay 30

Latest updateJun 3

Description

Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via continued usage of previously issued tokens.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages4 packages

▶NVDmattermost/mattermost_server9.11.0 — 9.11.13+3

▶Gogithub.com/mattermost_mattermost-server9.0.0-rc1+incompatible — 9.11.13+incompatible+3

▶Gogithub.com/mattermost_mattermost_server_v810.7.0-rc1 — 10.7.1+4

▶CVEListV5mattermost/mattermost10.6.0 — 10.6.2+3

🔴Vulnerability Details

OSV

Mattermost fails to properly invalidate personal access tokens upon user deactivation in github.com/mattermost/mattermost-server↗2025-06-03

▶

OSV

Mattermost fails to properly invalidate personal access tokens upon user deactivation↗2025-05-30

▶

GHSA

Mattermost fails to properly invalidate personal access tokens upon user deactivation↗2025-05-30

▶

CVEList

Bypass of System Admin User Deactivation Controls for Personal Access Tokens in Mattermost Server↗2025-05-30

▶