Vulnerabilities
Vulnerable Software

Vulnerability Details CVE-2026-9571

Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to invalidate OAuth refresh tokens upon user account deactivation, which allows a deactivated user or an attacker in possession of a valid refresh token to obtain new functional access tokens via the OAuth refresh token grant endpoint.. Mattermost Advisory ID: MMSA-2026-00680
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 8.6%
CVSS Severity
CVSS v3 Score 5.9
Products affected by CVE-2026-9571


Contact Us

Shodan ® - All rights reserved