CVE-2025-12419

Description

Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to take over a user account via manipulation of authentication data during the OAuth completion flow. This requires email verification to be disabled (default: disabled), OAuth/OpenID Connect to be enabled, and the attacker to control two users in the SSO system with one of them never having logged into Mattermost.

CVSS v3.1 Score

9.9

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Weakness Type (CWE)

CWE-303 CWE-303

Affected Products

Vendor	Product	Versions
mattermost	mattermost_server	10.5.0 — 10.5.13
mattermost	mattermost_server	10.11.0 — 10.11.5
mattermost	mattermost_server	10.12.0 — 10.12.2
mattermost	mattermost_server	11.0.0 — 11.0.4

References

Advisories & Patches

https://mattermost.com/security-updates

Frequently Asked Questions

What is CVE-2025-12419? +

Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to take over a user account via manipulation of authentication data during the OAuth completion flow. This requires email verification to be disabled (default: disabled), OAuth/OpenID Connect to be enabled, and the attacker to control two users in the SSO system with one of them never having logged into Mattermost. It has a CVSS v3.1 base score of 9.9 (CRITICAL).

How severe is CVE-2025-12419? +

CVE-2025-12419 has a CVSS v3.1 score of 9.9 out of 10, rated CRITICAL. This is a critical vulnerability that should be patched immediately.

What products are affected by CVE-2025-12419? +

CVE-2025-12419 affects products from mattermost, specifically: mattermost_server. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2025-12419? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2024-8314

An Incorrect Implementation of Authentication Algorithm and Exposure of Data Element to Wrong Ses-sion vulnerability in the session handling used …

CVE-2025-48994

SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned …

CVE-2024-4332

An authentication bypass vulnerability has been identified in the REST and SOAP API components of Tripwire Enterprise (TE) 9.1.0 when …

CVE-2025-43856

immich is a high performance self-hosted photo and video management solution. Prior to 1.132.0, immich is vulnerable to account hijacking …

CVE-2025-61783

Python Social Auth is a social authentication/registration mechanism. In versions prior to 5.6.0, upon authentication, the user could be associated …

CVE-2025-13390 10.0

The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 …