Unauthenticated Channel Subscription Creation in Mattermost Confluence Plugin
Description
Mattermost Confluence Plugin version <1.5.0 fails to check the authorization of the user to the Mattermost instance which allows attackers to create a channel subscription without proper authorization via API call to the create channel subscription endpoint.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mattermost Confluence Plugin before 1.5.0 lacks authorization checks, allowing attackers to create channel subscriptions via the API without proper credentials.
Vulnerability Description
The Mattermost Confluence Plugin versions prior to 1.5.0 fail to verify the authorization of the user making API calls to the create channel subscription endpoint [1]. This missing authorization check allows any attacker who can reach the API to create subscriptions without proper authentication or permissions.
Exploitation
An attacker can exploit this by sending a crafted API request to the create channel subscription endpoint. No prior authentication or special privileges on the Mattermost instance are required [1]. The plugin does not validate whether the requester has the right to create subscriptions, enabling unauthorized creation.
Impact
Successful exploitation allows an attacker to create channel subscriptions that link Confluence events to Mattermost channels. This could lead to unauthorized disclosure of Confluence activity, such as page updates or comments, to unintended channels [2]. The attacker may also disrupt existing subscription configurations.
Mitigation
Users should upgrade to Mattermost Confluence Plugin version 1.5.0 or later, which includes the necessary authorization checks [1]. No workaround is documented. Mattermost recommends following their security updates page for future advisories [3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost-plugin-confluenceGo | < 1.5.0 | 1.5.0 |
Affected products
2- Range: <1.5.0
- Mattermost/Mattermost Confluence Pluginv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-6ff3-jgxh-vffjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-44004ghsaADVISORY
- mattermost.com/security-updatesghsaWEB
News mentions
0No linked articles in our index yet.