Mattermost Confluence Plugin is Missing Authentication for Critical Function

Mattermost Confluence Plugin versions < 1.5.0 fail to enforce user authentication of the Mattermost instance, allowing unauthenticated attackers to edit channel subscriptions via API call to the edit channel subscription endpoint.

References

Published by the National Vulnerability Database Aug 11, 2025

Published to the GitHub Advisory Database Aug 11, 2025

Last updated Aug 12, 2025

Reviewed Aug 12, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

References

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

EPSS score

Exploit Prediction Scoring System (EPSS)

Weaknesses

Missing Authentication for Critical Function

CVE ID

GHSA ID

Source code

Uh oh!