CVE-2025-12421

CRITICAL LAB

Mattermost <11.0.2, 10.12.1, 10.11.4, 10.5.12 - Auth Bypass

Title source: llm

Description

Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email address used when switching authentication methods and sending a request to the /users/login/sso/code-exchange endpoint. The vulnerability requires ExperimentalEnableAuthenticationTransfer to be enabled (default: enabled) and RequireEmailVerification to be disabled (default: disabled).

Exploits (1)

github WORKING POC 1 stars

by exploitintel · pythonpoc

https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2025-12421

View Code ZIP pw:eip

References (1)

[Vendor Advisory] https://mattermost.com/security-updates

Scores

CVSS v3 9.9

EPSS 0.0009

EPSS Percentile 26.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Lab Environment

vulnerable

docker pull ghcr.io/exploitintel/cve-2025-12421-vulnerable:latest

All Labs GitHub

Classification

CWE

CWE-303

Status published

Affected Products (3)

mattermost/mattermost_server < 10.5.13

mattermost/mattermost < 8.0.0-20251022210333-acda1fb5dd46Go

mattermost/mattermost-server < 11.0.3Go

Timeline

Published Nov 27, 2025

Tracked Since Feb 18, 2026