CVE-2025-3230

Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via continued usage of previously issued tokens.

Published: May 30, 2025
Updated: Jun 30, 2025
CVE: CVE-2025-3230
GHSA: GHSA-mc2f-jgj6-6cp3
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWEs:

CWE-303

Affected Software
References

Software	From	Fixed in
github.com/mattermost/mattermost/server/v8	10.7.0-rc1	10.7.1
github.com/mattermost/mattermost/server/v8	10.6.0-rc1	10.6.3
github.com/mattermost/mattermost/server/v8	10.0.0-rc1	10.5.4
github.com/mattermost/mattermost/server/v8	9.0.0-rc1	9.11.13
github.com/mattermost/mattermost/server/v8	-	8.0.0-20250402193107-65343f84a783

https://github.com/mattermost/mattermost/commit/65343f84a7830fa8078fe3df879fca924e4fac01
https://mattermost.com/security-updates

Vulnerability Database

289,782

CVE-2025-3230