CVE-2025-3230

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-3230
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-3230.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-3230
Aliases
Downstream
Related
Published
2025-05-30T15:15:41.043Z
Modified
2026-04-10T05:25:08.675378Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via continued usage of previously issued tokens.

References

Affected packages

Git / github.com/mattermost/mattermost-server

Affected ranges

Type
GIT
Repo
https://github.com/mattermost/mattermost-server
Events
Introduced
0bc2ddd42375a75ab14e63f038165150d4f07659
Fixed
686c1746a0454421742e7fd22f7aecaccd7a0d0a
Introduced
58bd34fd34cbd7d3da777d627b6cffdf8a532930
Fixed
389a3acd5d77daea50ec00ed348e0fae143fc0a7
Introduced
5eebc77b68c0c2b63103316e3c92342c13fd93f9
Fixed
a8a7c04d36b32f38bea3b8982988fc02ea734ae2
Introduced
f6b324a9d71843e8f48eba9e90dfbeabcbac1ae7
Fixed
7106c46dabbd4e324ed594973ae662fa65069545
Database specific 
{
    "versions": [
        {
            "introduced": "9.11.0"
        },
        {
            "fixed": "9.11.13"
        },
        {
            "introduced": "10.5.0"
        },
        {
            "fixed": "10.5.4"
        },
        {
            "introduced": "10.6.0"
        },
        {
            "fixed": "10.6.3"
        },
        {
            "introduced": "10.7.0"
        },
        {
            "fixed": "10.7.1"
        }
    ]
}

Affected versions

@mattermost/client@10.*
@mattermost/client@10.5.0
@mattermost/client@10.6.0
@mattermost/client@10.7.0
@mattermost/client@9.*
@mattermost/client@9.11.0
@mattermost/types@10.*
@mattermost/types@10.5.0
@mattermost/types@10.6.0
@mattermost/types@10.7.0
@mattermost/types@9.*
@mattermost/types@9.11.0
mattermost-redux@10.*
mattermost-redux@10.6.0
mattermost-redux@10.7.0
v10.*
v10.5.0
v10.5.0-rc6
v10.5.1
v10.5.1-rc1
v10.5.1-rc2
v10.5.2
v10.5.3
v10.5.3-rc1
v10.5.4-rc1
v10.6.0
v10.6.0-rc3
v10.6.1
v10.6.2
v10.6.2-rc1
v10.6.3-rc1
v10.7.0
v10.7.0-rc2
v9.*
v9.11.0
v9.11.0-rc3
v9.11.1
v9.11.1-rc1
v9.11.10
v9.11.10-rc1
v9.11.11
v9.11.11-rc1
v9.11.12
v9.11.12-rc1
v9.11.13-rc1
v9.11.2
v9.11.2-rc1
v9.11.2-rc2
v9.11.3
v9.11.3-rc1
v9.11.3-rc2
v9.11.4
v9.11.4-rc1
v9.11.5
v9.11.5-rc1
v9.11.6
v9.11.6-rc1
v9.11.6-rc2
v9.11.7
v9.11.7-rc1
v9.11.7-rc2
v9.11.7-rc3
v9.11.8
v9.11.9
v9.11.9-rc1
v9.11.9-rc2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-3230.json"