VYPR
← All advisories
Moderate severityNVD Advisory· Published May 30, 2025· Updated May 30, 2025

Google OAuth Authentication Bypass for Converted Bot Accounts

CVE-2025-2571

Description

Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to clear Google OAuth credentials when converting user accounts to bot accounts, allowing attackers to gain unauthorized access to bot accounts via the Google OAuth signup flow.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/mattermost/mattermost/server/v8Go
>= 10.7.0-rc1, < 10.7.110.7.1
github.com/mattermost/mattermost/server/v8Go
>= 10.0.0-rc1, < 10.5.410.5.4
github.com/mattermost/mattermost/server/v8Go
>= 9.0.0-rc1, < 9.11.139.11.13
github.com/mattermost/mattermost/server/v8Go
< 8.0.0-20250414095146-04676582cdd28.0.0-20250414095146-04676582cdd2
github.com/mattermost/mattermost/server/v8Go
>= 10.6.0-rc1, < 10.6.310.6.3

Affected products

1

Patches

1
04676582cdd2

MM-63342:Bot accounts OAuth gating (#30466)

https://github.com/mattermost/mattermostcatalintomaiApr 14, 2025via ghsa
commit
2 files changed · +69 0
  • server/channels/app/bot.go+21 0 modified
    @@ -604,6 +604,27 @@ func (a *App) getDisableBotSysadminMessage(user *model.User, userBots model.BotL
 
 // ConvertUserToBot converts a user to bot.
 func (a *App) ConvertUserToBot(rctx request.CTX, user *model.User) (*model.Bot, *model.AppError) {
+	// Clear OAuth credentials before converting to bot
+	if user.AuthService != "" {
+		emptyString := ""
+		userAuth := &model.UserAuth{
+			AuthService: "",
+			AuthData:    &emptyString,
+		}
+
+		_, err := a.UpdateUserAuth(rctx, user.Id, userAuth)
+		if err != nil {
+			return nil, err
+		}
+
+		// Refresh user data
+		updatedUser, err := a.GetUser(user.Id)
+		if err != nil {
+			return nil, err
+		}
+		user = updatedUser
+	}
+
 	bot, err := a.Srv().Store().Bot().Save(model.BotFromUser(user))
 	if err != nil {
 		var appErr *model.AppError
  • server/channels/app/bot_test.go+48 0 modified
    @@ -901,6 +901,54 @@ func TestConvertUserToBot(t *testing.T) {
 		require.NotNil(t, err)
 		require.Equal(t, "api.context.invalid_token.error", err.Id)
 	})
+
+	t.Run("user with oauth credentials", func(t *testing.T) {
+		th := Setup(t).InitBasic()
+		defer th.TearDown()
+
+		// Create a user first
+		oauthUser := &model.User{
+			Email:         "oauth_user@example.com",
+			Username:      "oauth_user",
+			Password:      "password",
+			EmailVerified: true,
+		}
+
+		oauthUser, err := th.App.CreateUser(th.Context, oauthUser)
+		require.Nil(t, err)
+
+		// Set OAuth credentials
+		authData := "google_auth_data"
+		userAuth := &model.UserAuth{
+			AuthData:    &authData,
+			AuthService: "google",
+		}
+		_, err = th.App.UpdateUserAuth(th.Context, oauthUser.Id, userAuth)
+		require.Nil(t, err)
+
+		// Verify OAuth credentials are set
+		oauthUser, appErr := th.App.GetUser(oauthUser.Id)
+		require.Nil(t, appErr)
+		require.Equal(t, "google", oauthUser.AuthService)
+		require.NotNil(t, oauthUser.AuthData)
+
+		// Convert user to bot
+		bot, err := th.App.ConvertUserToBot(th.Context, oauthUser)
+		require.Nil(t, err)
+		defer func() {
+			err = th.App.PermanentDeleteBot(th.Context, bot.UserId)
+			require.Nil(t, err)
+		}()
+
+		// Get updated user and verify OAuth credentials are cleared
+		updatedUser, err := th.App.GetUser(oauthUser.Id)
+		require.Nil(t, err)
+		assert.Empty(t, updatedUser.AuthService)
+		// AuthData may be empty string instead of nil in the database
+		if updatedUser.AuthData != nil {
+			assert.Empty(t, *updatedUser.AuthData)
+		}
+	})
 }
 
 func TestGetSystemBot(t *testing.T) {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.