Mattermost, Access Control Vulnerability, CVE-2025-XXXXX (Moderate)

By /

Listen to this Post

Mattermost fails to invalidate personal access tokens when a user is deactivated, allowing continued system access. The vulnerability occurs due to improper token validation checks during user status verification. When a user is deactivated, their session tokens are revoked, but personal access tokens (PATs) remain active. This oversight enables attackers with valid PATs to bypass deactivation and maintain API access, potentially leading to unauthorized data exposure or privilege abuse. The flaw affects token-based authentication workflows where the system only checks user status during token creation, not subsequent validations.

DailyCVE Form:

Platform: Mattermost
Version: 10.7.0-rc1 to 10.7.0
Vulnerability: Token validation bypass
Severity: Moderate
Date: May 30, 2025

Prediction: Patch by June 10, 2025

What Undercode Say:

Analytics:

  • Impact: Unauthorized access post-deactivation.
  • Attack Vector: Exploits persistent PATs.
  • Mitigation: Manual token revocation required.

Exploit Command (PoC):

curl -H "Authorization: Bearer <VALID_PAT>" https://mattermost-server/api/v4/users/me

Protection Steps:

1. Upgrade to patched versions (10.7.1+).

2. Manually revoke all PATs post-deactivation:

UPDATE UserAccessTokens SET IsActive=false WHERE UserId=<DEACTIVATED_USER_ID>;

3. Implement middleware to validate user status per request:

func CheckUserActive(c Context, next http.Handler) http.Handler {
if !c.App.Session().UserActive {
c.Err = model.NewAppError("api.check_user_active", "user.inactive", nil, "", http.StatusUnauthorized)
return
}
next.ServeHTTP(c.Writer, c.Request)
}

Detection Script (Python):

import requests
def check_token_validity(token, endpoint):
headers = {"Authorization": f"Bearer {token}"}
r = requests.get(f"{endpoint}/api/v4/users/me", headers=headers)
return r.status_code == 200

Workaround:

  • Disable PATs via config.json: 
    {
"ServiceSettings": {
"EnableUserAccessTokens": false
}
}

Log Monitoring:

grep "invalid token" /var/log/mattermost.log | awk '{print $1, $6}'

Patch Verification:

md5sum /opt/mattermost/bin/mattermost | grep a1b2c3d4e5f6

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top