CVE-2025-2571

Summary

Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to clear Google OAuth credentials when converting user accounts to bot accounts, allowing attackers to gain unauthorized access to bot accounts via the Google OAuth signup flow.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost10.7.0affected
MattermostMattermost10.6.0 <= 10.6.2affected
MattermostMattermost10.5.0 <= 10.5.3affected
MattermostMattermost9.11.0 <= 9.11.12affected
MattermostMattermost10.8.0unaffected
MattermostMattermost10.7.1unaffected
MattermostMattermost10.6.3unaffected
MattermostMattermost10.5.4unaffected
MattermostMattermost9.11.13unaffected

Weaknesses

  • CWE-303: CWE-303: Incorrect Implementation of Authentication Algorithm

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References