Lack of Authorization on Get Channel Subscriptions for Autocomplete in Mattermost Confluence Plugin

Vulnerability

Overview

The Mattermost Confluence Plugin, versions prior to 1.5.0, contains an authorization bypass vulnerability in the GET autocomplete/GetChannelSubscriptions API endpoint. The plugin fails to verify that the requesting user is a member of the channel for which they are querying subscription details. This missing access check allows any authenticated attacker to retrieve subscription configurations for channels they should not have access to [1].

Attack

Vector and Prerequisites

An attacker must be an authenticated user of the Mattermost instance where the Confluence plugin is installed. No special privileges are required beyond basic authentication. The attacker can then craft an API call to the affected endpoint, specifying a target channel ID or name, and the plugin will return subscription data without validating the user's membership in that channel [2]. The vulnerability lies in the missing authorization step, not in any complex exploitation technique.

Impact

Successful exploitation exposes channel subscription details, which may include: - The Confluence space or page being monitored - The specific events that trigger notifications (e.g., page created, updated, deleted) - The alias and configuration of the subscription

This information leakage can aid an attacker in reconnaissance, revealing which projects or documents are being tracked, potentially leading to further targeted attacks against Confluence content or team workflows [2].

Mitigation

The vulnerability is fixed in version 1.5.0 of the Mattermost Confluence Plugin. Users are strongly advised to update to this version or later [3]. No workarounds have been publicly documented. The plugin's GitHub repository [2] and Mattermost's Security Updates page [3] provide release notes and update guidance.