CVE-2025-12421

Name of the Vulnerable Software and Affected Versions Mattermost versions 10.5.x through 10.5.12 Mattermost versions 10.11.x through 10.11.4 Mattermost versions 10.12.x through 10.12.1 Mattermost versions 11.0.x through 11.0.2

Description Mattermost fails to verify that the token used during the code exchange originates from the same authentication flow. This allows an authenticated user to perform account takeover by using a specially crafted email address when switching authentication methods and sending a request to the /users/login/sso/code-exchange endpoint. The issue requires ExperimentalEnableAuthenticationTransfer to be enabled and RequireEmailVerification to be disabled.

Recommendations Mattermost versions 10.5.x through 10.5.12: Update to a newer, fixed version. Mattermost versions 10.11.x through 10.11.4: Update to a newer, fixed version. Mattermost versions 10.12.x through 10.12.1: Update to a newer, fixed version. Mattermost versions 11.0.x through 11.0.2: Update to a newer, fixed version.