CVE-2025-12421

CVE-2025-12421 is a critical authentication vulnerability in Mattermost, affecting versions 11.0.x up to and including 11.0.2, 10.12.x up to 10.12.1, 10.11.x up to 10.11.4, and 10.5.x up to 10.5.12. The issue arises from a failure to verify that the token used during the code exchange originates from the same authentication flow. This is classified under CWE-303 (Incorrect Check of Function Return Value) and carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). Exploitation requires the ExperimentalEnableAuthenticationTransfer feature to be enabled (default: enabled) and RequireEmailVerification to be disabled (default: disabled).

An authenticated user with low privileges can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. The attacker crafts a specially formatted email address while switching authentication methods, then sends a request to the /users/login/sso/code-exchange endpoint. This allows takeover of another user's account by hijacking the authentication flow, potentially granting full access to the victim's data and privileges due to the changed scope and high impacts on confidentiality, integrity, and availability.

Mattermost has published details on mitigations in their security updates, available at https://mattermost.com/security-updates. Security practitioners should review this advisory for patch information and configuration guidance to address the vulnerability.