CVE-2025-12421

Account Takeover via Code Exchange Endpoint

Assigner: Mattermost
Reserved: 28.10.2025 Published: 27.11.2025 Updated: 02.12.2025

Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email address used when switching authentication methods and sending a request to the /users/login/sso/code-exchange endpoint. The vulnerability requires ExperimentalEnableAuthenticationTransfer to be enabled (default: enabled) and RequireEmailVerification to be disabled (default: disabled).

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9.9

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Mattermost
Product	Mattermost
Versions	Default: unaffected affected from 11.0.0 to 11.0.2 (incl.) affected from 10.12.0 to 10.12.1 (incl.) affected from 10.11.0 to 10.11.4 (incl.) affected from 10.5.0 to 10.5.12 (incl.) Version 11.1.0 is unaffected Version 11.0.3 is unaffected Version 10.12.2 is unaffected Version 10.11.5 is unaffected Version 10.5.13 is unaffected

Vendor

Mattermost

Product

Mattermost

Versions

Default: unaffected

affected from 11.0.0 to 11.0.2 (incl.)
affected from 10.12.0 to 10.12.1 (incl.)
affected from 10.11.0 to 10.11.4 (incl.)
affected from 10.5.0 to 10.5.12 (incl.)
Version 11.1.0 is unaffected
Version 11.0.3 is unaffected
Version 10.12.2 is unaffected
Version 10.11.5 is unaffected
Version 10.5.13 is unaffected

Solutions

Update Mattermost to versions 11.1.0, 11.0.3, 10.12.2, 10.11.5, 10.5.13 or higher.

Credits

daw10 finder

References

Problem Types

CWE-303: Incorrect Implementation of Authentication Algorithm CWE