How ZeroPath Works
Back to Blog

Mattermost OAuth State Manipulation (CVE-2025-58073) – Brief Summary and Technical Review

This post provides a brief summary and technical review of CVE-2025-58073, a high-severity authorization bypass in Mattermost affecting versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, and 10.5.x <= 10.5.10. The flaw allows attackers to join any team by manipulating OAuth state during team invitation flows. Includes affected versions, technical mechanism, and references.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-10-16

Mattermost OAuth State Manipulation (CVE-2025-58073) – Brief Summary and Technical Review
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Attackers can bypass Mattermost team membership restrictions and join any team by manipulating OAuth state during the invitation process. This issue impacts organizations using Mattermost for secure collaboration, especially those relying on strict team-based access controls.

Mattermost is an open-source collaboration and messaging platform used by enterprises, governments, and critical infrastructure operators. Its focus on security and self-hosting has led to adoption in sectors with stringent information protection requirements.

Technical Information

CVE-2025-58073 arises from a missing authorization check (CWE-862) in Mattermost's team invitation flow when OAuth authentication is used. In affected versions, the platform fails to verify that the user accepting a team invitation via an original invite token is the intended recipient. This allows any authenticated user to manipulate the OAuth state parameter and join any team, regardless of invitation restrictions or team policies.

The vulnerability specifically affects the intersection of OAuth authentication flows and team invitation tokens. During the OAuth handshake, the state parameter is intended to maintain session integrity and prevent CSRF. However, Mattermost's implementation does not sufficiently bind the state to the invite token and the authenticated user. As a result, attackers can craft requests that associate their own session with a valid invite token by tampering with the state parameter. This bypasses the intended team membership controls and grants unauthorized access to protected teams.

No public code snippets or detailed implementation artifacts are available. The flaw affects all configurations using OAuth for authentication and team invitations in the specified versions. Exploitation requires only an authenticated session; no elevated privileges are necessary.

Affected Systems and Versions

  • Mattermost 10.11.x up to and including 10.11.1
  • Mattermost 10.10.x up to and including 10.10.2
  • Mattermost 10.5.x up to and including 10.5.10

All configurations using OAuth for authentication and team invitations in these versions are vulnerable.

Vendor Security History

Mattermost has previously addressed vulnerabilities related to OAuth authentication and team invitation logic. The vendor maintains a responsible disclosure process, backports security fixes to supported releases, and typically publishes CVE details 30 days after patch release. Security updates are released monthly, and the vendor has a history of timely responses to reported issues.

References

Detect & fix
what others miss

Get startedBook a demo