CVE-2025-1412
Published: 24 February 2025
Description
Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user to escalate their privileges depending on the permissions granted to the bot.
Security Summary
CVE-2025-1412 is a session management vulnerability affecting Mattermost versions 9.11.x up to and including 9.11.6 and 10.4.x up to and including 10.4.1. The flaw arises because the software fails to invalidate all active sessions when a user account is converted to a bot account. This issue, classified under CWE-384 (Session Fixation), has a CVSS v3.1 base score of 3.1 (AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N) and was published on 2025-02-24.
A low-privileged user (PR:L) with network access (AV:N) can exploit this vulnerability if their account is converted to a bot, as their existing sessions remain valid despite the change. This allows the converted user to retain access with their original permissions while potentially gaining escalated privileges based on the permissions assigned to the new bot account. Exploitation requires high attack complexity (AC:H) and results in low confidentiality impact with no integrity or availability effects.
For mitigation details, refer to the official advisory at https://mattermost.com/security-updates, which provides guidance on patches and remediation steps for affected versions.
Details
- CWE(s)