CVE-2025-12419

Name of the Vulnerable Software and Affected Versions Mattermost versions 10.5.x through 10.5.12 Mattermost versions 10.11.x through 10.11.4 Mattermost versions 10.12.x through 10.12.1 Mattermost versions 11.0.x through 11.0.3

Description The Mattermost application contains a flaw in the implementation of its authentication algorithm. This issue allows an authenticated attacker with team creation or admin privileges to take over any user account by manipulating authentication data during the OAuth completion flow. The issue stems from improper validation of OAuth state tokens during OpenID Connect authentication. This requires email verification to be disabled and OAuth/OpenID Connect to be enabled. The attacker must control two users in the SSO system, with one of them never having logged into Mattermost.

Recommendations Mattermost versions 10.5.x through 10.5.12: Update to a newer, fixed version. Mattermost versions 10.11.x through 10.11.4: Update to a newer, fixed version. Mattermost versions 10.12.x through 10.12.1: Update to a newer, fixed version. Mattermost versions 11.0.x through 11.0.3: Update to a newer, fixed version.