Mattermost CVE-2025-12421: Brief Summary of Critical Account Takeover via SSO Code Exchange

Introduction

A single request can let an attacker hijack any user account in a Mattermost deployment if the wrong configuration is in place. This is not a theoretical risk—real-world deployments with default settings are exposed to critical account takeover attacks due to CVE-2025-12421.

About Mattermost: Mattermost is a leading open source, self-hosted collaboration platform used by enterprises and government agencies worldwide. It offers secure messaging, file sharing, and integrations, with a focus on compliance and data sovereignty. Its support for multiple authentication methods makes it a popular choice for organizations with complex identity requirements.

Technical Information

CVE-2025-12421 is a critical flaw in Mattermost's authentication flow, specifically in how it handles switching between authentication methods. The vulnerability is present in the code exchange process at the /users/login/sso/code-exchange endpoint. When a user switches authentication methods (such as from email-password to OAuth or between different OAuth providers), Mattermost should verify that the authorization code used in the exchange originates from the same authentication session and is linked to the requesting user.

The root cause is that Mattermost does not properly verify the origin and binding of the token during the code exchange. An attacker who is already authenticated can craft a request with a specially formatted email address and a valid authorization code. Because the system fails to ensure that the code and email address are part of the same authentication flow, the attacker can cause the system to associate the code with a different user account. This results in a full account takeover of the targeted user, without needing to know or guess their credentials.

The vulnerability requires two configuration settings to be in their default state: ExperimentalEnableAuthenticationTransfer must be enabled (which allows users to switch authentication methods), and RequireEmailVerification must be disabled (which means the system does not require users to verify ownership of email addresses during authentication). Both are default in affected versions, so most deployments are at risk unless these settings have been changed.

No public code snippets or exploit scripts are available for this vulnerability as of the disclosure date.

Affected Systems and Versions

• Mattermost 11.0.x up to and including 11.0.2
• Mattermost 10.12.x up to and including 10.12.1
• Mattermost 10.11.x up to and including 10.11.4
• Mattermost 10.5.x up to and including 10.5.12

Vulnerability requires:

• ExperimentalEnableAuthenticationTransfer enabled (default: enabled)
• RequireEmailVerification disabled (default: disabled)

Vendor Security History

Mattermost has experienced several authentication-related vulnerabilities in recent years. Notably, CVE-2025-12419 and CVE-2025-58073 involved flaws in OAuth and SSO handling, both leading to account takeover scenarios. The vendor maintains a responsible disclosure policy and issues regular security updates, but the recurrence of authentication logic issues indicates an area that requires ongoing attention and improvement.

References

• NVD entry for CVE-2025-12421
• Mattermost Security Updates
• Switching Authentication Methods in Mattermost
• Authentication Configuration Settings
• Experimental Configuration Settings
• CVE-2025-12419: OAuth State Token Validation
• Mattermost Security Updates Blog (Patch Info)