CVE-2025-3230

Bypass of System Admin User Deactivation Controls for Personal Access Tokens in Mattermost Server

CVSS 5.4 MEDIUMEPSS 0.2%CWE-303

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 5.4EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

30 May 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via continued usage of previously issued tokens.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Affected products

Mattermost · Mattermost

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://mattermost.com/security-updates