CVE-2025-2571
MEDIUM4.2EPSS 0.17%Mattermost fails to clear Google OAuth credentials
Published: 5/30/2025Modified: 6/3/2025
Description
Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to clear Google OAuth credentials when converting user accounts to bot accounts, allowing attackers to gain unauthorized access to bot accounts via the Google OAuth signup flow.
Affected packages (5)
- Go/github.com/mattermost/mattermost-server>= 9.0.0-rc1+incompatible, < 9.11.13+incompatible, >= 10.0.0-rc1+incompatible, < 10.5.4+incompatible, >= 10.6.0-rc1+incompatible, < 10.6.3+incompatible, >= 10.7.0-rc1+incompatible, < 10.7.1+incompatible
- Go/github.com/mattermost/mattermost-server/v5from 0
- Go/github.com/mattermost/mattermost-server/v6from 0
- Go/github.com/mattermost/mattermost/server/v8>= 10.7.0-rc1, < 10.7.1
- Go/github.com/mattermost/mattermost/server/v8from 0, < 8.0.0-20250414095146-04676582cdd2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.2 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N |