A critical vulnerability has been identified in multiple versions of Mattermost products that allows for a complete user account takeover. The flaw exists in the OpenID Connect authentication process, where an attacker with specific permissions can manipulate the login flow to gain control of another user's account. Successful exploitation could lead to unauthorized access to sensitive data, impersonation, and further compromise of the collaboration environment.

The vulnerability is an improper validation of OAuth state tokens during the OpenID Connect (OIDC) authentication process. An authenticated attacker who has privileges to create teams can exploit this flaw. The attack requires several preconditions: email verification must be disabled (which is the default setting), OIDC authentication must be enabled, and the attacker must control two separate user accounts within the single sign-on (SSO) system, with one of these users having never logged into Mattermost before. The attacker initiates an OIDC login for the new user, intercepts the authentication data during the completion phase, and manipulates it to link the new SSO identity to their own existing Mattermost account, thereby taking it over.

This vulnerability is rated as critical severity with a CVSS score of 9.9, reflecting the high potential for significant damage. A successful exploit results in a full account takeover, granting the attacker complete access to the victim's Mattermost account. This includes access to all private channels, direct messages, and files, leading to a severe breach of confidentiality and integrity. The attacker can impersonate the victim to socially engineer other employees, exfiltrate sensitive corporate data, or pivot to attack other internal systems, posing a substantial risk to the organization's security and operational integrity.

Immediate Action: Immediately apply the security patches provided by the vendor. Upgrade all affected Mattermost instances to a patched version as specified in the official Mattermost security advisory.

Proactive Monitoring: System administrators should actively monitor authentication logs from both Mattermost and the configured SSO provider. Look for anomalies such as rapid or unusual account creation and login sequences, mismatched state tokens in OAuth logs, or unexpected account attribute changes. Review access logs for any unauthorized activity from accounts that may have been compromised.

Compensating Controls: If immediate patching is not feasible, the following compensating controls can reduce the risk of exploitation:

• Enable Email Verification: Change the Mattermost configuration to require email verification for new accounts. This disrupts a key precondition for the attack.
• Restrict Privileges: Audit and strictly limit which roles have permission to create new teams.
• Review SSO Configuration: Ensure your SSO and OIDC provider configurations are hardened and follow best practices.

Public Exploit Available: false

Given the critical CVSS score of 9.9, this vulnerability represents a severe and immediate threat. We strongly recommend that organizations prioritize the deployment of the vendor-supplied patches to all affected Mattermost servers without delay. While this CVE is not currently listed on the CISA KEV catalog, its high severity warrants treating it as a critical priority. In parallel with patching, implement the suggested compensating controls, particularly enabling email verification, to provide an additional layer of defense.