VYPR
Moderate severityNVD Advisory· Published May 30, 2025· Updated May 30, 2025

Google OAuth Authentication Bypass for Converted Bot Accounts

CVE-2025-2571

Description

Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to clear Google OAuth credentials when converting user accounts to bot accounts, allowing attackers to gain unauthorized access to bot accounts via the Google OAuth signup flow.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/mattermost/mattermost/server/v8Go
>= 10.7.0-rc1, < 10.7.110.7.1
github.com/mattermost/mattermost/server/v8Go
>= 10.0.0-rc1, < 10.5.410.5.4
github.com/mattermost/mattermost/server/v8Go
>= 9.0.0-rc1, < 9.11.139.11.13
github.com/mattermost/mattermost/server/v8Go
< 8.0.0-20250414095146-04676582cdd28.0.0-20250414095146-04676582cdd2
github.com/mattermost/mattermost/server/v8Go
>= 10.6.0-rc1, < 10.6.310.6.3

Affected products

3

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.