Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to clear Google OAuth credentials when converting user accounts to bot accounts, allowing attackers to gain unauthorized access to bot accounts via the Google OAuth signup flow.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| github.com/mattermost/mattermost/server/v8(Go) | 10.7.0-rc1 | 10.7.1 | N/A |
| github.com/mattermost/mattermost/server/v8(Go) | 10.0.0-rc1 | 10.5.4 | N/A |
| github.com/mattermost/mattermost/server/v8(Go) | 9.0.0-rc1 | 9.11.13 | N/A |
| github.com/mattermost/mattermost/server/v8(Go) | 0 | 8.0.0-20250414095146-04676582cdd2 | N/A |
| github.com/mattermost/mattermost/server/v8(Go) | 10.6.0-rc1 | 10.6.3 | N/A |
CVSS Metrics
