Unexpected input to Create Channel Subscription endpoint causes DoS in Mattermost Confluence Plugin
Description
Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to create channel subscription endpoint with an invalid request body.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mattermost Confluence Plugin <1.5.0 crashes via constant invalid requests to create channel subscription endpoint due to improper request body handling.
The vulnerability in Mattermost Confluence Plugin versions before 1.5.0 arises from improper handling of unexpected request bodies. When the create channel subscription endpoint receives an invalid request body, the plugin fails to process it correctly, leading to a crash. This issue is documented in the NVD description [1].
An attacker can exploit this by sending constant, malformed requests to the create channel subscription endpoint. No authentication is explicitly required, and the attacker only needs network access to the Mattermost server running the plugin. The constant hits cause the plugin to repeatedly crash, making it unavailable [1].
The impact is a denial-of-service (DoS) of the plugin, preventing Confluence event notifications from being delivered to Mattermost channels. This disrupts workflow integration and collaboration. The latest plugin version is available on GitHub [2], and security updates are listed on Mattermost's security page [3].
Mitigation requires upgrading to version 1.5.0 or later. Users should follow the update instructions in the plugin repository [2]. No workarounds are mentioned in the available sources.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost-plugin-confluenceGo | < 1.5.0 | 1.5.0 |
Affected products
2- Range: <1.5.0
- Mattermost/Mattermost Confluence Pluginv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-3cg3-3mmr-w8hjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-54525ghsaADVISORY
- mattermost.com/security-updatesghsaWEB
News mentions
0No linked articles in our index yet.