CVE-2025-2571: 
vulnerability analysis and mitigation

Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, and 9.11.x <= 9.11.12 contain a vulnerability related to Google OAuth credentials. The issue was disclosed on May 30, 2025, and involves a failure to clear Google OAuth credentials when converting user accounts to bot accounts (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 4.2 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N. The issue is classified as CWE-303 (Incorrect Implementation of Authentication Algorithm). The technical nature of the vulnerability involves an authentication flaw where Google OAuth credentials persist after user accounts are converted to bot accounts (NVD).

The vulnerability allows attackers to gain unauthorized access to bot accounts through the Google OAuth signup flow. This could potentially lead to compromised bot account access and unauthorized actions being performed under the bot account's privileges (NVD).

Users should upgrade to versions newer than 10.7.0 for the 10.7.x series, 10.6.2 for the 10.6.x series, 10.5.3 for the 10.5.x series, or 9.11.12 for the 9.11.x series (NVD, Mattermost Security).