51 matches found
CVE-2026-49277
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat does not revoke OAuth bearer or refresh tokens when a user is deactivated. A deactivated user can continue using an existing OAuth...
CVE-2026-49277 Rocket.Chat: OAuth access and refresh tokens remain valid after account deactivation
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat does not revoke OAuth bearer or refresh tokens when a user is deactivated. A deactivated user can continue using an existing OAuth...
CVE-2026-45757
Rocket.Chat before versions 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12 allowed users marked inactive by users.deactivateIdle to continue using already-issued login tokens. An administrator-stopped idle users could still access authenticated REST endpoints with the old token. Th...
CVE-2019-20876
An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. Users can deactivate themselves, bypassing a policy...
CVE-2025-65430
An issue was discovered in allauth-django before 65.13.0. IdP: marking a user as isactive=False after having handed tokens for that user while the account was still active had no effect. Fixed the access/refresh tokens are now rejected...
SUSE CVE-2025-65430
An issue was discovered in allauth-django before 65.13.0. IdP: marking a user as isactive=False after having handed tokens for that user while the account was still active had no effect. Fixed the access/refresh tokens are now rejected...
PYSEC-2025-110
An issue was discovered in allauth-django before 65.13.0. IdP: marking a user as isactive=False after having handed tokens for that user while the account was still active had no effect. Fixed the access/refresh tokens are now rejected...
UBUNTU-CVE-2025-65430
An issue was discovered in allauth-django before 65.13.0. IdP: marking a user as isactive=False after having handed tokens for that user while the account was still active had no effect. Fixed the access/refresh tokens are now rejected...
EUVD-2022-0018
Malicious code in bioql PyPI...
EUVD-2025-16491
Malicious code in bioql PyPI...
EUVD-2023-0370
Malicious code in bioql PyPI...
Authentik has insufficient check for account active status when authenticating with OAuth/SAML Sources
Summary Deactivated users that had either enrolled via OAuth/SAML or had their account connected to an OAuth/SAML account can still partially access authentik even if their account is deactivated. They end up in a half-authenticated state where they cannot access the API but crucially they can...
SUSE CVE-2025-3230
Mattermost versions 10.7.x = 10.7.0, 10.6.x = 10.6.2, 10.5.x = 10.5.3, 9.11.x = 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via continued usage of previous...
CVE-2025-49511 WordPress Civi Framework plugin <= 2.1.6 - Cross Site Request Forgery (CSRF) to User Deactivation vulnerability
Cross-Site Request Forgery CSRF vulnerability in uxper Civi Framework allows Cross Site Request Forgery.This issue affects Civi Framework: from n/a through 2.1.6...
CVE-2025-49511 WordPress Civi Framework plugin <= 2.1.6 - Cross Site Request Forgery (CSRF) to User Deactivation vulnerability
Cross-Site Request Forgery CSRF vulnerability in uxper Civi Framework civi-framework allows Cross Site Request Forgery.This issue affects Civi Framework: from n/a through = 2.1.6...
Improper Token Invalidation
github.com/mattermost/mattermost-server is vulnerable to improper token invalidation. The vulnerability is due to failure to invalidate personal access tokens upon user deactivation, allowing continued access through previously issued tokens...
GO-2025-3731 Mattermost fails to properly invalidate personal access tokens upon user deactivation in github.com/mattermost/mattermost-server
Mattermost fails to properly invalidate personal access tokens upon user deactivation in github.com/mattermost/mattermost-server...
CVE-2025-3230
Mattermost versions 10.7.x = 10.7.0, 10.6.x = 10.6.2, 10.5.x = 10.5.3, 9.11.x = 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via continued usage of previous...
Mattermost fails to properly invalidate personal access tokens upon user deactivation
Mattermost versions 10.7.x = 10.7.0, 10.6.x = 10.6.2, 10.5.x = 10.5.3, 9.11.x = 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via continued usage of previous...
GHSA-MC2F-JGJ6-6CP3 Mattermost fails to properly invalidate personal access tokens upon user deactivation
Mattermost versions 10.7.x = 10.7.0, 10.6.x = 10.6.2, 10.5.x = 10.5.3, 9.11.x = 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via continued usage of previous...