Critical Vulnerability in Mattermost Allows Account Takeover (CVE-2025-12421)

Mattermost Critical Vulnerability Summary

A default configuration in Mattermost, an open source collaboration platform used by enterprises and government agencies, exposes deployments to critical Account Takeover risk. The vulnerability, identified as CVE-2025-12421, allows an attacker, via a single request, to hijack any user account on the system.

Technical Details of CVE-2025-12421

The flaw lies in Mattermost’s authentication flow, specifically its handling of switching between different authentication methods (such as email/password to OAuth). The problem is in the /users/login/sso/code-exchange endpoint.

When a user changes their authentication method, Mattermost should verify that the authorization code used in the exchange comes from the same authentication session and is linked to the requesting user.

Root Cause: Mattermost does not properly verify the origin and token binding during code exchange. An already authenticated attacker can manipulate a request with a specific email address and a valid authorization code. Since the system does not validate whether the code and the email address are part of the same authentication flow, the attacker can force the system to associate the code with a different user account, thus achieving full takeover of the target account without needing to know its credentials.

Configuration Requirements for Exploitation

This vulnerability requires two default configurations to be active in the Mattermost deployment:

1. ExperimentalEnableAuthenticationTransfer must be enabled. This setting allows users to switch between authentication methods and is enabled by default.
2. RequireEmailVerification must be disabled. This setting bypasses verification of email address ownership during authentication and is disabled by default.

Because both settings are the default, most Mattermost deployments are vulnerable unless administrators have manually modified these settings.

Mattermost Versions Affected

The following versions of Mattermost are affected by the CVE-2025-12421 vulnerability:

• Mattermost 11.0.x up to and including 11.0.2
• Mattermost 10.12.x up to and including 10.12.1
• Mattermost 10.11.x up to and including 10.11.4
• Mattermost 10.5.x up to and including 10.5.12

Provider Security History

Mattermost has faced several authentication-related vulnerabilities in recent years. In particular, CVEs CVE-2025-12419 and CVE-2025-58073 are mentioned, both related to flaws in the handling of OAuth and SSO that also led to account takeover scenarios. Although the provider maintains a responsible disclosure policy and publishes regular updates, the recurrence of authentication logic issues underscores the need for continued attention in this area.

References

• CVE-2025-12421
• CVE-2025-12419
• CVE-2025-58073