cbcvebase.
CVE-2025-2571
published 2025-05-30

CVE-2025-2571: Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to clear Google OAuth credentials when converting user…

medium4.2CVSS 3.1
AVNACHPRLUINSUCLILAN
Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to clear Google OAuth credentials when converting user accounts to bot accounts, allowing attackers to gain unauthorized access to bot accounts via the Google OAuth signup flow.

Affected

19 ranges
VendorProductVersion rangeFixed in
github.commattermost_mattermost-server>= 10.0.0-rc1+incompatible < 10.5.4+incompatible10.5.4+incompatible
github.commattermost_mattermost-server>= 10.6.0-rc1+incompatible < 10.6.3+incompatible10.6.3+incompatible
github.commattermost_mattermost-server>= 10.7.0-rc1+incompatible < 10.7.1+incompatible10.7.1+incompatible
github.commattermost_mattermost-server>= 9.0.0-rc1+incompatible < 9.11.13+incompatible9.11.13+incompatible
github.commattermost_mattermost_server_v8>= 0 < 8.0.0-20250414095146-04676582cdd28.0.0-20250414095146-04676582cdd2
github.commattermost_mattermost_server_v8>= 10.0.0-rc1 < 10.5.410.5.4
github.commattermost_mattermost_server_v8>= 10.6.0-rc1 < 10.6.310.6.3
github.commattermost_mattermost_server_v8>= 10.7.0-rc1 < 10.7.110.7.1
github.commattermost_mattermost_server_v8>= 9.0.0-rc1 < 9.11.139.11.13
mattermostmattermost
mattermostmattermost10.5.0 – 10.5.3
mattermostmattermost10.6.0 – 10.6.2
mattermostmattermost9.11.0 – 9.11.12
mattermostmattermost_server>= 10.5.0 < 10.5.410.5.4
mattermostmattermost_server>= 10.6.0 < 10.6.310.6.3
mattermostmattermost_server>= 10.7.0 < 10.7.110.7.1
mattermostmattermost_server>= 9.11.0 < 9.11.139.11.13
msrccbl2_vim_9.0.0325-1_on_cbl_mariner_2.0
msrccm1_vim_9.0.0181-1_on_cbl_mariner_1.0