Vulnerability DatabaseCVE-2025-12419
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-12419
November 27, 2025
Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to take over a user account via manipulation of authentication data during the OAuth completion flow. This requires email verification to be disabled (default: disabled), OAuth/OpenID Connect to be enabled, and the attacker to control two users in the SSO system with one of them never having logged into Mattermost.
Affected Packages
github.com/mattermost/mattermost (GO):
Affected version(s) >=v10.11.0 <v10.11.5
Fix Suggestion:
Update to version v10.11.5
github.com/mattermost/mattermost-server (GO):
Affected version(s) >=v10.12.0 <v10.12.2
Fix Suggestion:
Update to version v10.12.2
github.com/mattermost/mattermost (GO):
Affected version(s) >=v11.0.1-rc1 <v11.0.4
Fix Suggestion:
Update to version v11.0.4
github.com/mattermost/mattermost-server (GO):
Affected version(s) >=v10.5.0 <v10.5.13
Fix Suggestion:
Update to version v10.5.13
github.com/mattermost/mattermost (GO):
Affected version(s) >=v10.5.0 <v10.5.13
Fix Suggestion:
Update to version v10.5.13
github.com/mattermost/mattermost-server (GO):
Affected version(s) >=v10.11.0 <v10.11.5
Fix Suggestion:
Update to version v10.11.5
github.com/mattermost/mattermost/server/v8 (GO):
Affected version(s) >=v8.0.0-20230429093631-aac4f2337933 <v8.0.0-20251028000919-d3ed703dc833
Fix Suggestion:
Update to version v8.0.0-20251028000919-d3ed703dc833
github.com/mattermost/mattermost (GO):
Affected version(s) >=v10.12.0 <v10.12.2
Fix Suggestion:
Update to version v10.12.2
github.com/mattermost/mattermost-server (GO):
Affected version(s) >=v11.0.1-rc1 <v11.0.4
Fix Suggestion:
Update to version v11.0.4
Related ResourcesĀ (10)
https://github.com/mattermost/mattermost
https://github.com/mattermost/mattermost/commit/15364790cc277cfaa372693d2d5442b87f70fd42
https://github.com/advisories/GHSA-3x39-62h4-f8j6
https://github.com/mattermost/mattermost/pull/34296
https://github.com/mattermost/mattermost/commit/364c2203de00fe0d8424b6b46d6f0eeb02a2539a
https://nvd.nist.gov/vuln/detail/CVE-2025-12419
https://github.com/mattermost/mattermost/commit/c3f4818afe46a7084740e809708ae22641c76d8d
https://mattermost.com/security-updates
https://github.com/mattermost/mattermost/commit/46b5c436bb3093cc1da3fa2455f93d4c52389eee
https://github.com/mattermost/mattermost/commit/d3ed703dc8330684952eb8d49a375bac6ea7b0c6
Do you need more information?
Contact Us
CVSS v4
Base Score:
9.4
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
HIGH
Subsequent System Integrity
HIGH
Subsequent System Availability
HIGH
CVSS v3
Base Score:
9.9
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Improper Authentication
CWE-287
Incorrect Implementation of Authentication Algorithm
CWE-303
EPSS
Base Score:
0.10