CVE-2017-18872: Mattermost Server's OAuth 2.0 service is vulnerable to attack through Missing Authorization

May 24, 2022 (updated October 24, 2025)

An issue was discovered in Mattermost Server before 4.4.3 and 4.3.3. Attackers could reconfigure an OAuth app in some cases where Mattermost is an OAuth 2.0 service provider.

References

github.com/advisories/GHSA-hgrp-fgm8-56g8
github.com/mattermost/mattermost
github.com/mattermost/mattermost/commit/8f6bb1570dd234c63de5241eff9fbb268aad358c
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2017-18872

Code Behaviors & Features

Detect and mitigate CVE-2017-18872 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →