Unauthenticated Access to Channel Subscription in Mattermost Confluence Plugin
Description
Mattermost Confluence Plugin version <1.5.0 fails to enforce authentication of the user to the Mattermost instance which allows unauthenticated attackers to access subscription details without via API call to GET subscription endpoint.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mattermost Confluence Plugin before 1.5.0 lacks authentication on GET subscription endpoint, exposing subscription details to unauthenticated attackers.
Vulnerability
Description
The Mattermost Confluence Plugin versions prior to 1.5.0 fail to enforce user authentication when handling API requests to the GET subscription endpoint [1]. This missing authentication check allows any unauthenticated attacker to retrieve subscription details without valid credentials.
Exploitation
An attacker can exploit this vulnerability by sending a direct API call to the GET subscription endpoint without any authentication token or session. No prior access to the Mattermost instance or Confluence is required; the endpoint is accessible over the network if the plugin is installed and reachable.
Impact
Successful exploitation discloses subscription configuration details, which may include Confluence base URLs, subscription aliases, and possibly event types being monitored [1]. This information could aid further attacks or reveal internal infrastructure details.
Mitigation
Mattermost addressed this issue in Confluence Plugin version 1.5.0 [1]. Users should upgrade to the latest version to ensure proper authentication is enforced. No workarounds are available for older versions.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost-plugin-confluenceGo | < 1.5.0 | 1.5.0 |
Affected products
2- Range: <1.5.0
- Mattermost/Mattermost Confluence Pluginv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-rfg4-2m63-fw2qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-49221ghsaADVISORY
- mattermost.com/security-updatesghsaWEB
News mentions
0No linked articles in our index yet.