CVE-2025-12419
Published: 27 November 2025
Description
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Security Summary
CVE-2025-12419 is a critical authentication vulnerability in Mattermost, affecting versions 10.12.x up to and including 10.12.1, 10.11.x up to and including 10.11.4, 10.5.x up to and including 10.5.12, and 11.0.x up to and including 11.0.3. It arises from improper validation of OAuth state tokens during the OpenID Connect authentication process, linked to CWE-303 (Incorrect Implementation of Authentication and Session Management). The issue was published on 2025-11-27 and carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
An authenticated attacker with team creation privileges can exploit this vulnerability to take over a target user account by manipulating authentication data during the OAuth completion flow. Successful exploitation requires specific conditions: email verification disabled (the default setting), OAuth or OpenID Connect enabled, and the attacker controlling two users in the SSO system, where one has never previously logged into Mattermost.
Mattermost has published details on mitigations and patches in their security updates, available at https://mattermost.com/security-updates. Security practitioners should review this advisory for upgrade instructions and configuration recommendations to address the flaw.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability allows an authenticated low-privilege attacker (team creation privileges) to exploit improper OAuth state token validation for account takeover, directly enabling exploitation for privilege escalation (T1068) and exploitation of remote services (T1210).