Unauthorized Channel Subscription Read in Mattermost Confluence Plugin
Description
Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to get channel subscription details without proper access to the channel via API call to the Get Channel Subscriptions details endpoint.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mattermost Confluence Plugin before 1.5.0 lacks channel access checks, allowing attackers to retrieve subscription details via API.
Vulnerability
Description CVE-2025-44001 affects the Mattermost Confluence Plugin versions prior to 1.5.0. The plugin fails to verify that the requesting user has proper access to a channel when processing API calls to the Get Channel Subscriptions endpoint. This oversight allows an attacker to obtain details about channel subscriptions without being a member of the target channel [1].
Exploitation
Prerequisites The attack is performed through API calls, likely requiring an authenticated user session but no special privileges beyond being able to communicate with the Mattermost instance. The vulnerability exposes subscription metadata, which includes information about which channels are subscribed to which Confluence events [2]. No user interaction is needed beyond the attacker sending the malicious request.
Impact
An attacker can enumerate channel subscriptions across the system, revealing which channels receive Confluence updates. This information leakage could aid in reconnaissance, such as identifying high-value channels or understanding team structures. The confidentiality of subscription details is compromised, though no direct modification or data alteration is possible through this vulnerability.
Mitigation
The issue is fixed in Mattermost Confluence Plugin version 1.5.0. Users should upgrade to this version or later. There is no evidence of active exploitation or inclusion in CISA's Known Exploited Vulnerabilities catalog as of the publication date. The Mattermost security updates page [3] provides general guidance for addressing security issues.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost-plugin-confluenceGo | < 1.5.0 | 1.5.0 |
Affected products
2- Range: <1.5.0
- Mattermost/Mattermost Confluence Pluginv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-vpcr-fqpc-386hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-44001ghsaADVISORY
- mattermost.com/security-updatesghsaWEB
News mentions
0No linked articles in our index yet.