Unauthorized Channel Subscription Edit in Mattermost Confluence Plugin

Vulnerability

Description CVE-2025-53910 is an authorization bypass vulnerability in the Mattermost Confluence Plugin versions prior to 1.5.0. The plugin fails to check whether the requesting user has access to a given Mattermost channel when processing API calls to the edit channel subscription endpoint. This missing access control allows an attacker to create or modify subscriptions for channels they are not a member of [1][2].

Attack

Vector & Exploitation The vulnerability can be exploited through the plugin's API endpoint used to edit channel subscriptions. An attacker with network access to the Mattermost instance, and possessing a valid API token or session, can craft a request to create a subscription that delivers Confluence notifications into a private or restricted channel. No special privileges beyond being an authenticated user are required; the plugin does not enforce channel membership verification [1][3].

Impact

Successful exploitation grants the attacker the ability to inject Confluence notifications (such as page or space updates) into arbitrary channels, potentially leaking sensitive information or disrupting user experience. This could be used for information disclosure, spam, or social engineering attempts within the organization [1][2][3].

Mitigation

Mattermost has addressed this issue in Confluence Plugin version 1.5.0. Users and administrators are strongly advised to update to the latest version to eliminate the risk. No workarounds are documented beyond the patch [1][3].