CVE-2025-1412

Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user to escalate their privileges depending on the permissions granted to the bot.

Published: Feb 24, 2025
Updated: Jun 30, 2025
CVE: CVE-2025-1412
GHSA: GHSA-rhvr-6w8c-6v7w
Severity: Low
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

CWEs:

CWE-384

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
github.com/mattermost/mattermost/server/v8	-	8.0.0-20241217145510-faa7e4f2ea0c
github.com/mattermost/mattermost/server/v8	10.4.0-rc1	10.4.2
github.com/mattermost/mattermost/server/v8	9.11.0-rc1	9.11.7

https://github.com/mattermost/mattermost/commit/faa7e4f2ea0cca2fd2aba271912b9fc3be788842
https://mattermost.com/security-updates

Vulnerability Database

289,784

CVE-2025-1412