CVE-2025-12421

Published Nov 27, 2025

Last updated 2 days ago

CVSS critical 9.9

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-12421 is a critical account takeover vulnerability in Mattermost that affects versions 11.0.x through 11.0.2, 10.12.x through 10.12.1, 10.11.x through 10.11.4, and 10.5.x through 10.5.12. It stems from the application's failure to verify that the token used during the code exchange originates from the same authentication flow. The vulnerability allows an authenticated user to perform account takeover by using a specially crafted email address when switching authentication methods and sending a request to the `/users/login/sso/code-exchange` endpoint. Exploitation requires that `ExperimentalEnableAuthenticationTransfer` is enabled and `RequireEmailVerification` is disabled.

Description
Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email address used when switching authentication methods and sending a request to the /users/login/sso/code-exchange endpoint. The vulnerability requires ExperimentalEnableAuthenticationTransfer to be enabled (default: enabled) and RequireEmailVerification to be disabled (default: disabled).
Source
responsibledisclosure@mattermost.com
NVD status
Analyzed
Products
mattermost_server

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.9
Impact score
6
Exploitability score
3.1
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

responsibledisclosure@mattermost.com
CWE-303

Social media

Hype score
Not currently trending

  1. 🚨 Critical Vulnerabilities exist in Mattermost (CVE-2025-12421, CVE-2025-12419) - please see the @ncsc_gov_ie advisory for further info: https://t.co/7a1MBkog4L

    @ncsc_gov_ie

    28 Nov 2025

    520 Impressions

    1 Retweet

    3 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  2. Warning: Two Critical Account Takeover flaws in Mattermost! #CVE-2025-12421 and #CVE-2025-12419, CVSS 9.9. These allow an authenticated attacker to perform full account takeover! #Patch #Patch #Patch More info: https://t.co/4mDcbZmfV7

    @CCBalert

    28 Nov 2025

    232 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  3. [CVE-2025-12421: CRITICAL] Critical cyber security flaw in Mattermost versions 10.5.x to 11.0.2 allows account takeover via crafted email address. Update now to protect your data!#cve,CVE-2025-12421,#cybersecurity https://t.co/VWNy8lqlrX https://t.co/68fCMow2na

    @CveFindCom

    27 Nov 2025

    92 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Mattermost CVE-2025-12421: Critical SSO Flaw A critical SSO code exchange bug in Mattermost lets attackers take over accounts. Patch ASAP to secure your teams. For more details, read ZeroPath's blog on this vuln. #AppSec #InfoSec #SSO https://t.co/w75SSTybla

    @ZeroPathLabs

    27 Nov 2025

    72 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2025-12421 Authentication Bypass Vulnerability in Mattermost Enabling Account Takeover https://t.co/o43wbEMx7E

    @VulmonFeeds

    27 Nov 2025

    67 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2025-12421 Mattermost versions 11.0.x &lt;= 11.0.2, 10.12.x &lt;= 10.12.1, 10.11.x &lt;= 10.11.4, 10.5.x &lt;= 10.5.12 fail to to verify that the token used during the code exchange origina… https://t.co/ugDlLgCHWb

    @CVEnew

    27 Nov 2025

    288 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

References

Sources include official advisories and independent security research.