CVE-2025-1412

Name of the Vulnerable Software and Affected Versions Mattermost versions 9.11.x through 9.11.6 Mattermost versions 10.4.x through 10.4.1

Description The issue arises when a user is converted to a bot, and the system fails to invalidate all active sessions. This allows the converted user to potentially escalate their privileges, depending on the permissions granted to the bot.

Recommendations For Mattermost versions 9.11.x through 9.11.6, update to a version later than 9.11.6 to resolve the issue. For Mattermost versions 10.4.x through 10.4.1, update to a version later than 10.4.1 to resolve the issue. As a temporary workaround, consider restricting the conversion of users to bots and limiting the permissions granted to bots to minimize the risk of exploitation.