CVE-2025-2571: Mattermost fails to clear Google OAuth credentials

May 30, 2025

Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to clear Google OAuth credentials when converting user accounts to bot accounts, allowing attackers to gain unauthorized access to bot accounts via the Google OAuth signup flow.

References

github.com/advisories/GHSA-8cgx-9ccj-3gwr
github.com/mattermost/mattermost
github.com/mattermost/mattermost/commit/04676582cdd26f4fdfa78fcf60a7f8745e6b27f5
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2025-2571

Code Behaviors & Features

Detect and mitigate CVE-2025-2571 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →