Moderate severityNVD Advisory· Published May 30, 2025· Updated May 30, 2025
Google OAuth Authentication Bypass for Converted Bot Accounts
CVE-2025-2571
Description
Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to clear Google OAuth credentials when converting user accounts to bot accounts, allowing attackers to gain unauthorized access to bot accounts via the Google OAuth signup flow.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost/server/v8Go | >= 10.7.0-rc1, < 10.7.1 | 10.7.1 |
github.com/mattermost/mattermost/server/v8Go | >= 10.0.0-rc1, < 10.5.4 | 10.5.4 |
github.com/mattermost/mattermost/server/v8Go | >= 9.0.0-rc1, < 9.11.13 | 9.11.13 |
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20250414095146-04676582cdd2 | 8.0.0-20250414095146-04676582cdd2 |
github.com/mattermost/mattermost/server/v8Go | >= 10.6.0-rc1, < 10.6.3 | 10.6.3 |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/mattermost/mattermost/server/v8pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
>= 10.7.0-rc1, < 10.7.1+ 1 more
- (no CPE)range: >= 10.7.0-rc1, < 10.7.1
- (no CPE)range: < 0.0.20250612T141001-1.1
- Range: 10.7.0
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.