A critical account takeover vulnerability has been identified in multiple versions of the Mattermost collaboration platform. The flaw allows an already authenticated user to gain complete control over another user's account, potentially leading to data breaches and unauthorized access to sensitive communications. This vulnerability is particularly severe as it can be exploited in the default server configuration.

The vulnerability exists in the Single Sign-On (SSO) code exchange process when a user switches authentication methods. The application fails to validate that the token used in the final step of the exchange belongs to the same authentication session that initiated the process. An authenticated attacker can exploit this by registering with a specially crafted email address, initiating an authentication switch, and then intercepting and manipulating the request to the /users/login/sso/code-exchange endpoint to link their session to a victim's account, resulting in a full account takeover. The exploit is feasible under the default server configuration where ExperimentalEnableAuthenticationTransfer is enabled and RequireEmailVerification is disabled.

This vulnerability is rated as critical severity with a CVSS score of 9.9, posing a significant threat to the organization. Successful exploitation results in the complete compromise of a user's Mattermost account. An attacker could impersonate the victim, access all their private messages, files, and channel history, and potentially leverage the compromised account to access other integrated systems. This could lead to severe consequences, including the theft of intellectual property, exposure of sensitive corporate data, internal phishing attacks, and significant reputational damage.

Immediate Action: Immediately apply the security patches provided by the vendor. Upgrade all affected Mattermost instances to a non-vulnerable version as specified in the official Mattermost security advisory. This is the most effective way to eliminate the risk.

Proactive Monitoring: System administrators should actively monitor server access logs for anomalous activity related to the /users/login/sso/code-exchange endpoint. Look for unusual patterns, multiple failed login attempts followed by a successful one from the same IP, or requests associated with suspicious or malformed email addresses. Review audit logs for unexpected changes in user authentication methods.

Compensating Controls: If immediate patching is not feasible, the risk can be mitigated by altering the server configuration. The primary compensating control is to enable email verification by setting RequireEmailVerification to true in the config.json file. This prevents the attacker from using an unverified, specially crafted email address to initiate the attack. Additionally, if the feature is not required, disabling ExperimentalEnableAuthenticationTransfer by setting it to false will also mitigate this specific vulnerability.

Public Exploit Available: false

Given the critical CVSS score of 9.9 and the potential for complete account compromise, this vulnerability requires immediate attention. The fact that the default Mattermost configuration is vulnerable elevates the risk. We strongly recommend that organizations prioritize the deployment of the security updates provided by Mattermost across all affected instances without delay. If patching cannot be performed immediately, implement the recommended compensating controls by enabling email verification to mitigate the immediate threat.