CVE-2025-12421
Account Takeover via Code Exchange EndpointMattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email address used when switching authentication methods and sending a request to the /users/login/sso/code-exchange endpoint. The vulnerability requires ExperimentalEnableAuthenticationTransfer to be enabled (default: enabled) and RequireEmailVerification to be disabled (default: disabled).
We have discovered 62 live websites that are affected by CVE-2025-12421.
Affected Software
| Product |  Mattermost |
| Category | Message Boards |
| Vulnerable Domains | 62 live websites (15% of Mattermost install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 10 versions ( 15% of all versions) |
Common Weakness Enumeration
CWE-303 Incorrect Implementation of Authentication AlgorithmDetails
- Published - Nov 27, 2025
- Updated - Feb 26, 2026
Credits
- daw10 (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-12421 United States | 13 websites |
 Germany | 23 websites |
 GB | 9 websites |
 France | 3 websites |
 Czech Republic | 2 websites |
 Russia | 2 websites |
 Turkmenistan | 2 websites |
 Austria | 1 websites |
 Canada | 1 websites |
Website Distribution by TLD
Number of websites using CVE-2025-12421| .org | 14 websites |
| .com | 13 websites |
| .de | 11 websites |
| .ru | 4 websites |
| .co.uk | 2 websites |
| .fr | 2 websites |
| .info | 2 websites |
| .net | 2 websites |
| .io | 1 websites |
| .pl | 1 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-12421
Top websites that are affected by CVE-2025-12421. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***********.com | Germany | ***,*** | |
| ****.*******.com | GB | ***,*** | |
| ****.*******.org | Germany | *,***,*** | |
| ***********.ru | Russia | *,***,*** | |
| ****.*******.com | Germany | *,***,*** | |
| ****.*********.org | United States | *,***,*** | |
| ****.**************.de | Germany | *,***,*** | |
| *****.*************.org | GB | *,***,*** | |
| *******.org | Germany | *,***,*** | |
| ******.*************.org | GB | **,***,*** |
FAQ
CVE-2025-12421 is Incorrect Implementation of Authentication Algorithm in Mattermost
A total of 62 websites have been identified as vulnerable to CVE-2025-12421, based on global website indexing conducted by WebTechSurvey.
The Mattermost is affected by the CVE-2025-12421 vulnerability.
Mattermost versions up to and including 11.0.2 are vulnerable to CVE-2025-12421.