CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-12421

CVSS 9.9v3.1pub. 2025-11-27upd. 2025-12-03

Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email address used when switching authentication methods and sending a request to the /users/login/sso/code-exchange endpoint. The vulnerability requires ExperimentalEnableAuthenticationTransfer to be enabled (default: enabled) and RequireEmailVerification to be disabled (default: disabled).

🤖 AI Analysis
How it works

Vulnerable versions of Mattermost Server do not verify whether the token used during OAuth code exchange (endpoint /users/login/sso/code-exchange) originates from the same authentication flow that generated it. An attacker, being a logged-in user, can submit a specially crafted email address while switching authentication methods, and then send a request to the mentioned endpoint with a token from outside the original flow. Exploiting the vulnerability requires that the ExperimentalEnableAuthenticationTransfer option be enabled in the server configuration (default: enabled) and that RequireEmailVerification be disabled (default: disabled).

Impact

An authenticated attacker can take over control of any user account (account takeover), leading to complete compromise of confidentiality, integrity, and availability of data accessible from the compromised account.

Mitigation & patch

Update Mattermost Server to the patched versions indicated by the vendor (details: https://mattermost.com/security-updates). Until the patch is deployed, it is recommended to disable the ExperimentalEnableAuthenticationTransfer option in the server configuration or enable RequireEmailVerification, which eliminates the conditions necessary to exploit the vulnerability.

Who is affected

Mattermost Server in versions: 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Mattermost Server

    APP
    Mattermost
    10.5.0 – 10.5.13 (bez)10.11.0 – 10.11.5 (bez)10.12.0 – 10.12.2 (bez)11.0.0 – 11.0.3 (bez)
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2025-12419CRITICAL9.9PL ✓ten sam produkt

Mattermost Server: przejęcie konta przez błędną walidację OAuth state token

CVE-2025-4981CRITICAL9.9PL ✓ten sam produkt

Mattermost Server: path traversal w ekstraktorze archiwów umożliwia RCE

CVE-2025-25279CRITICAL9.9PL ✓ten sam produkt

Mattermost Server — path traversal przy imporcie tablic (Boards)

CVE-2025-20051CRITICAL9.9PL ✓ten sam produkt

Mattermost Server: path traversal przy duplikowaniu bloków w Boards

CVE-2025-24490CRITICAL9.6PL ✓ten sam produkt

SQL Injection w Mattermost Server — podatność przy zmianie kolejności tablic