Launch Week Day 1: Announcing Security Design Review
Start for Free
MEDIUM 4.2 Go

Mattermost fails to clear Google OAuth credentials

GHSA-8cgx-9ccj-3gwr · CVE-2025-2571 · GO-2025-3729

Published · Modified

Description

Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to clear Google OAuth credentials when converting user accounts to bot accounts, allowing attackers to gain unauthorized access to bot accounts via the Google OAuth signup flow.

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes