CVE-2025-12419

Published Nov 27, 2025

Last updated 5 months ago

CVSS critical 9.9

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-12419 is a vulnerability affecting Mattermost versions 10.12.x through 10.12.1, 10.11.x through 10.11.4, 10.5.x through 10.5.12, and 11.0.x through 11.0.3. It stems from the improper validation of OAuth state tokens during OpenID Connect authentication. This vulnerability allows an authenticated attacker with team creation or admin privileges to potentially take over a user account. The account takeover is achieved through manipulation of authentication data during the OAuth completion flow. Exploitation requires email verification to be disabled, OAuth/OpenID Connect to be enabled, and the attacker to control two users in the SSO system, where one of them has never logged into Mattermost.

Description
Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to take over a user account via manipulation of authentication data during the OAuth completion flow. This requires email verification to be disabled (default: disabled), OAuth/OpenID Connect to be enabled, and the attacker to control two users in the SSO system with one of them never having logged into Mattermost.
Source
responsibledisclosure@mattermost.com
NVD status
Analyzed
Products
mattermost_server

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.9
Impact score
6
Exploitability score
3.1
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

responsibledisclosure@mattermost.com
CWE-303

Social media

Hype score
Not currently trending

  1. `Mattermost` (`CVE-2025-12419`) has an authentication bypass flaw via `OAuth` state token validation during `OpenID Connect`. Affects 10.12.1, 10.11.4, 10.5.12, 11.0.3. Patch advised. #Mattermost #AuthBypass #infosec https://t.co/7qHNksHNwH

    @pulsepatchio

    13 Mar 2026

    106 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨 Critical Vulnerabilities exist in Mattermost (CVE-2025-12421, CVE-2025-12419) - please see the @ncsc_gov_ie advisory for further info: https://t.co/7a1MBkog4L

    @ncsc_gov_ie

    28 Nov 2025

    520 Impressions

    1 Retweet

    3 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  3. Warning: Two Critical Account Takeover flaws in Mattermost! #CVE-2025-12421 and #CVE-2025-12419, CVSS 9.9. These allow an authenticated attacker to perform full account takeover! #Patch #Patch #Patch More info: https://t.co/4mDcbZmfV7

    @CCBalert

    28 Nov 2025

    232 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2025-12419 OAuth State Token Bypass in Mattermost Enabling Unauthorized Account Takeover https://t.co/G258IstTaF

    @VulmonFeeds

    27 Nov 2025

    49 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. [CVE-2025-12419: CRITICAL] Vulnerability in Mattermost versions 10.5.x to 10.12.1 allows attackers with admin privileges to take over user accounts during OAuth authentication. Update to patch the issue.#cve,CVE-2025-12419,#cybersecurity https://t.co/un3TDVE9Wb https://t.co/QmmYA

    @CveFindCom

    27 Nov 2025

    64 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2025-12419 Mattermost versions 10.12.x &lt;= 10.12.1, 10.11.x &lt;= 10.11.4, 10.5.x &lt;= 10.5.12, 11.0.x &lt;= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect aut… https://t.co/r8DJzKiySh

    @CVEnew

    27 Nov 2025

    315 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to enforce atomic single-use consumption of guest magic link tokens, which allows an attacker with access to a valid magic link to establish multiple independent authenticated sessions via concurrent requests.. Mattermost Advisory ID: MMSA-2026-00624CVE-2026-3590
  2. Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to validate CSRF tokens on an authentication endpoint which allows an attacker to update a user's authentication method via a CSRF attack by tricking a user into visiting a malicious page. Mattermost Advisory ID: MMSA-2026-00625CVE-2026-28741
  3. Mattermost versions 10.11.x <= 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected using the Conntexted Workspaces feature to change the displayed status of local users via the Connected Workspaces API.. Mattermost Advisory ID: MMSA-2026-00603CVE-2026-27769
  4. Mattermost Plugins versions <=2.3.1 fail to limit the request body size on the {{/lifecycle}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00610CVE-2026-21388
  5. Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to apply view restrictions when retrieving group member IDs, which allows authenticated guest users to enumerate user IDs outside their allowed visibility scope via the group retrieval endpoint.. Mattermost Advisory ID: MMSA-2026-00594CVE-2026-3115

References

Sources include official advisories and independent security research.