CVE-2025-2571 – Mattermost fails to clear Google OAuth credenti... (How to Fix)

Q: How do I fix CVE-2025-2571?

1. Backup Mattermost configuration and database. 2. Download patched version from Mattermost releases. 3. Stop Mattermost service. 4. Install patched version. 5. Restart Mattermost service. 6. Verify version update.

Q: What is the severity of CVE-2025-2571?

CVE-2025-2571 has a CVSS score of 4.2 (MEDIUM). Mattermost fails to clear Google OAuth credentials when converting user accounts to bot accounts, allowing attackers to gain unauthorized access to bot accounts via Google OAuth signup flow. This affects Mattermost instances with Google OAuth enabled where user-to-bot conversions occur.

📋 TL;DR

Mattermost fails to clear Google OAuth credentials when converting user accounts to bot accounts, allowing attackers to gain unauthorized access to bot accounts via Google OAuth signup flow. This affects Mattermost instances with Google OAuth enabled where user-to-bot conversions occur.

💻 Affected Systems

Products:

Mattermost

Versions: 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Requires Google OAuth authentication enabled and user accounts converted to bot accounts.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain persistent access to bot accounts with elevated privileges, potentially accessing sensitive channels, data, or performing unauthorized actions.

🟠

Likely Case

Unauthorized access to specific bot accounts leading to data exposure or limited privilege escalation within the Mattermost instance.

🟢

If Mitigated

Minimal impact if Google OAuth is disabled or user-to-bot conversions are restricted to trusted administrators.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires knowledge of the conversion process and access to Google OAuth flow.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.7.1, 10.6.3, 10.5.4, 9.11.13

Vendor Advisory: https://mattermost.com/security-updates

Restart Required: Yes

Instructions:

1. Backup Mattermost configuration and database. 2. Download patched version from Mattermost releases. 3. Stop Mattermost service. 4. Install patched version. 5. Restart Mattermost service. 6. Verify version update.

🔧 Temporary Workarounds

Disable Google OAuth

all

Temporarily disable Google OAuth authentication to prevent exploitation.

Edit config.json: set 'GoogleSettings.Enable' to false
Restart Mattermost service

Restrict User-to-Bot Conversions

all

Limit account conversions to trusted administrators only.

Configure Mattermost permissions to restrict 'Convert User to Bot' to system admins

🧯 If You Can't Patch

Monitor audit logs for unusual bot account activity or unauthorized access attempts.
Review and revoke unnecessary bot account permissions, especially those converted from user accounts.

🔍 How to Verify

Check if Vulnerable:

Check Mattermost version via web interface or command line, verify if within affected ranges and Google OAuth is enabled.

Check Version:

mattermost version

Verify Fix Applied:

Confirm version is updated to patched release and test user-to-bot conversion with Google OAuth.

📡 Detection & Monitoring

Log Indicators:

Unusual authentication attempts via Google OAuth for bot accounts
Multiple failed conversion attempts

Network Indicators:

Unexpected OAuth callback requests to bot endpoints

SIEM Query:

source="mattermost" AND (event="oauth_authentication" AND account_type="bot")

📊 Metadata

CVE ID: CVE-2025-2571

CVSS v3 Score: 4.2 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-303

EPSS Score: 0.06% exploit probability (17.1th percentile)

Published: May 30, 2025

Last Updated: October 15, 2025

🔗 References

https://mattermost.com/security-updates Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2571, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Mattermost Server by Mattermost

Mattermost Server by Mattermost

Mattermost Server by Mattermost

Mattermost Server by Mattermost

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Google OAuth

Restrict User-to-Bot Conversions

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities