Introduction
Account takeover in enterprise collaboration platforms can lead to unauthorized access to sensitive discussions and business data. CVE-2025-12419 is a critical flaw in Mattermost's OpenID Connect authentication that allows authenticated users with elevated privileges to assume the identity of any user in the system.
Mattermost is a widely adopted open-source messaging and collaboration platform, popular in government, enterprise, and regulated industries for its on-premises deployment model and integration with external identity providers. Its flexibility and focus on security make vulnerabilities in its authentication mechanisms particularly impactful.
Technical Information
CVE-2025-12419 is caused by improper validation of the OAuth state parameter during OpenID Connect authentication in Mattermost. The OAuth state parameter is designed to correlate authentication requests and responses, preventing cross-site request forgery and session fixation attacks. In affected Mattermost versions, the application does not sufficiently verify that the state value returned in the OAuth response matches the value sent in the original request.
This flaw allows an attacker who already has an authenticated session and possesses either team creation or admin privileges to manipulate the OAuth flow. The attacker can initiate an OAuth request for themselves, alter the state or authentication data, and then complete the flow in a way that Mattermost accepts the response as if it were for the target user. This results in a full account takeover of the victim user, including access to private channels, messages, and administrative functions if the target is an admin.
The vulnerability is classified as CWE-303 (Incorrect Implementation of Authentication Algorithm). It specifically affects Mattermost deployments configured to use OpenID Connect for authentication. The attack does not require the attacker to have access to the victim's credentials, only the ability to manipulate the OAuth flow due to insufficient state validation.
Affected Systems and Versions
- Mattermost 10.12.x up to and including 10.12.1
- Mattermost 10.11.x up to and including 10.11.4
- Mattermost 10.5.x up to and including 10.5.12
- Mattermost 11.0.x up to and including 11.0.3
All affected versions are vulnerable when configured to use OpenID Connect authentication. The vulnerability is present regardless of the external identity provider (e.g., Azure AD, Okta, Google).
Vendor Security History
Mattermost has a documented history of OAuth and authentication-related vulnerabilities. Notably, CVE-2025-58073 involved a similar OAuth state manipulation issue in the team invitation flow. The vendor maintains a responsible disclosure policy, offers a bug bounty program, and provides regular security updates across all supported branches, including Extended Support Releases. Security updates and advisories are typically released in a coordinated manner with clear versioning and upgrade guidance.
