Moderate severityNVD Advisory· Published May 30, 2025· Updated May 30, 2025
Bypass of System Admin User Deactivation Controls for Personal Access Tokens in Mattermost Server
CVE-2025-3230
Description
Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via continued usage of previously issued tokens.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost/server/v8Go | >= 10.7.0-rc1, < 10.7.1 | 10.7.1 |
github.com/mattermost/mattermost/server/v8Go | >= 10.6.0-rc1, < 10.6.3 | 10.6.3 |
github.com/mattermost/mattermost/server/v8Go | >= 10.0.0-rc1, < 10.5.4 | 10.5.4 |
github.com/mattermost/mattermost/server/v8Go | >= 9.0.0-rc1, < 9.11.13 | 9.11.13 |
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20250402193107-65343f84a783 | 8.0.0-20250402193107-65343f84a783 |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/mattermost/mattermost/server/v8pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
>= 10.7.0-rc1, < 10.7.1+ 1 more
- (no CPE)range: >= 10.7.0-rc1, < 10.7.1
- (no CPE)range: < 0.0.20250612T141001-1.1
- Range: 10.7.0
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.