cbcvebase.
CVE-2025-3230
published 2025-05-30

CVE-2025-3230: Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly invalidate personal access tokens upon user…

medium5.4CVSS 3.1
AVNACLPRLUINSUCLILAN
Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via continued usage of previously issued tokens.

Affected

17 ranges
VendorProductVersion rangeFixed in
github.commattermost_mattermost-server>= 10.0.0-rc1+incompatible < 10.5.4+incompatible10.5.4+incompatible
github.commattermost_mattermost-server>= 10.6.0-rc1+incompatible < 10.6.3+incompatible10.6.3+incompatible
github.commattermost_mattermost-server>= 10.7.0-rc1+incompatible < 10.7.1+incompatible10.7.1+incompatible
github.commattermost_mattermost-server>= 9.0.0-rc1+incompatible < 9.11.13+incompatible9.11.13+incompatible
github.commattermost_mattermost_server_v8>= 0 < 8.0.0-20250402193107-65343f84a7838.0.0-20250402193107-65343f84a783
github.commattermost_mattermost_server_v8>= 10.0.0-rc1 < 10.5.410.5.4
github.commattermost_mattermost_server_v8>= 10.6.0-rc1 < 10.6.310.6.3
github.commattermost_mattermost_server_v8>= 10.7.0-rc1 < 10.7.110.7.1
github.commattermost_mattermost_server_v8>= 9.0.0-rc1 < 9.11.139.11.13
mattermostmattermost
mattermostmattermost10.5.0 – 10.5.3
mattermostmattermost10.6.0 – 10.6.2
mattermostmattermost9.11.0 – 9.11.12
mattermostmattermost_server>= 10.5.0 < 10.5.410.5.4
mattermostmattermost_server>= 10.6.0 < 10.6.310.6.3
mattermostmattermost_server>= 10.7.0 < 10.7.110.7.1
mattermostmattermost_server>= 9.11.0 < 9.11.139.11.13