CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-12419

CVSS 9.9v3.1pub. 2025-11-27upd. 2025-12-03

Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to take over a user account via manipulation of authentication data during the OAuth completion flow. This requires email verification to be disabled (default: disabled), OAuth/OpenID Connect to be enabled, and the attacker to control two users in the SSO system with one of them never having logged into Mattermost.

🤖 AI Analysis
How it works

The application improperly validates OAuth state tokens during authentication via OpenID Connect (CWE-303: incorrect implementation of authentication algorithm). An attacker controlling two accounts in the SSO system—with one of them never previously logging into Mattermost—is able to manipulate data transmitted during the OAuth flow finalization phase. As a result, the system incorrectly associates the victim's identity with the attacker's session, leading to account takeover. The attack is possible only when: email address verification is disabled (disabled by default), OAuth/OpenID Connect is enabled, and the attacker has permissions to create teams.

Impact

An attacker can fully take over another Mattermost user's account, gaining access to their messages, channels, and data, as well as the ability to act on their behalf. Due to the extended scope (Scope: Changed), the consequences may extend beyond the application itself.

Mitigation & patch

Mattermost Server should be updated to versions higher than 10.12.1, 10.11.4, 10.5.12, or 11.0.3 in accordance with information available on the vendor's website (https://mattermost.com/security-updates). Until the patch is deployed, risk can be reduced by enabling email address verification or disabling OAuth/OpenID Connect if it is not required.

Who is affected

Mattermost Server in versions: 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Mattermost Server

    APP
    Mattermost
    10.5.0 – 10.5.13 (bez)10.11.0 – 10.11.5 (bez)10.12.0 – 10.12.2 (bez)11.0.0 – 11.0.4 (bez)
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2025-12421CRITICAL9.9PL ✓ten sam produkt

Mattermost Server — przejęcie konta przez błąd weryfikacji tokenu OAuth (account takeover)

CVE-2025-4981CRITICAL9.9PL ✓ten sam produkt

Mattermost Server: path traversal w ekstraktorze archiwów umożliwia RCE

CVE-2025-25279CRITICAL9.9PL ✓ten sam produkt

Mattermost Server — path traversal przy imporcie tablic (Boards)

CVE-2025-20051CRITICAL9.9PL ✓ten sam produkt

Mattermost Server: path traversal przy duplikowaniu bloków w Boards

CVE-2025-24490CRITICAL9.6PL ✓ten sam produkt

SQL Injection w Mattermost Server — podatność przy zmianie kolejności tablic