CVE-2025-62425

Name of the Vulnerable Software and Affected Versions Matrix Authentication Service versions 0.20.0 through 1.4.0

Description A logic flaw in Matrix Authentication Service allows an attacker with an existing authenticated session to perform sensitive operations without re-entering the current password. These operations include changing the password, adding or removing an email address, and deactivating the account. The issue only affects instances with the local password database feature enabled.

Recommendations Update to Matrix Authentication Service version 1.4.1 or later.