CVE-2025-12419
Published: 27 November 2025
Summary
CVE-2025-12419 is a critical-severity Incorrect Implementation of Authentication Algorithm (CWE-303) vulnerability in Mattermost Mattermost Server. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 24.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-13 (Identity Providers and Authorization Servers) and SC-23 (Session Authenticity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of inputs like OAuth state tokens at authentication interfaces to prevent manipulation during the OpenID Connect flow.
Protects session authenticity, which the OAuth state token is designed to enforce, mitigating account takeover via manipulated authentication data.
Ensures secure integration and validation mechanisms when employing external identity providers and authorization servers for OpenID Connect authentication.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows an authenticated low-privilege attacker (team creation privileges) to exploit improper OAuth state token validation for account takeover, directly enabling exploitation for privilege escalation (T1068) and exploitation of remote services (T1210).
NVD Description
Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to take over a user account…
more
via manipulation of authentication data during the OAuth completion flow. This requires email verification to be disabled (default: disabled), OAuth/OpenID Connect to be enabled, and the attacker to control two users in the SSO system with one of them never having logged into Mattermost.
Deeper analysisAI
CVE-2025-12419 is a critical authentication vulnerability in Mattermost, affecting versions 10.12.x up to and including 10.12.1, 10.11.x up to and including 10.11.4, 10.5.x up to and including 10.5.12, and 11.0.x up to and including 11.0.3. It arises from improper validation of OAuth state tokens during the OpenID Connect authentication process, linked to CWE-303 (Incorrect Implementation of Authentication and Session Management). The issue was published on 2025-11-27 and carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
An authenticated attacker with team creation privileges can exploit this vulnerability to take over a target user account by manipulating authentication data during the OAuth completion flow. Successful exploitation requires specific conditions: email verification disabled (the default setting), OAuth or OpenID Connect enabled, and the attacker controlling two users in the SSO system, where one has never previously logged into Mattermost.
Mattermost has published details on mitigations and patches in their security updates, available at https://mattermost.com/security-updates. Security practitioners should review this advisory for upgrade instructions and configuration recommendations to address the flaw.
Details
- CWE(s)