Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to take over a user account via manipulation of authentication data during the OAuth completion flow. This requires email verification to be disabled (default: disabled), OAuth/OpenID Connect to be enabled, and the attacker to control two users in the SSO system with one of them never having logged into Mattermost.
The application improperly validates OAuth state tokens during authentication via OpenID Connect (CWE-303: incorrect implementation of authentication algorithm). An attacker controlling two accounts in the SSO system—with one of them never previously logging into Mattermost—is able to manipulate data transmitted during the OAuth flow finalization phase. As a result, the system incorrectly associates the victim's identity with the attacker's session, leading to account takeover. The attack is possible only when: email address verification is disabled (disabled by default), OAuth/OpenID Connect is enabled, and the attacker has permissions to create teams.
An attacker can fully take over another Mattermost user's account, gaining access to their messages, channels, and data, as well as the ability to act on their behalf. Due to the extended scope (Scope: Changed), the consequences may extend beyond the application itself.
Mattermost Server should be updated to versions higher than 10.12.1, 10.11.4, 10.5.12, or 11.0.3 in accordance with information available on the vendor's website (https://mattermost.com/security-updates). Until the patch is deployed, risk can be reduced by enabling email address verification or disabling OAuth/OpenID Connect if it is not required.
Mattermost Server in versions: 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HMattermost Server
APPMattermost10.5.0 – 10.5.13 (bez)10.11.0 – 10.11.5 (bez)10.12.0 – 10.12.2 (bez)11.0.0 – 11.0.4 (bez)
Related vulnerabilities
Mattermost Server — przejęcie konta przez błąd weryfikacji tokenu OAuth (account takeover)
Mattermost Server: path traversal w ekstraktorze archiwów umożliwia RCE
Mattermost Server — path traversal przy imporcie tablic (Boards)
Mattermost Server: path traversal przy duplikowaniu bloków w Boards
SQL Injection w Mattermost Server — podatność przy zmianie kolejności tablic