Unauthorized Channel Subscription Creation in Mattermost Confluence Plugin

Vulnerability

Overview

The Mattermost Confluence Plugin versions prior to 1.5.0 contain an authorization bypass vulnerability in the channel subscription functionality. The plugin fails to verify whether the user making the API call has proper access to the target channel when creating a subscription via the "create channel subscription" endpoint [1][4]. This constitutes a missing authorization check at the API handler level.

Attack

Vector

An attacker can exploit this flaw by sending a crafted API request to the create channel subscription endpoint without needing any prior membership or access rights to the target channel. No authentication to the channel is required beyond general Mattermost access, and the attacker does not need to be a member of the channel they wish to subscribe [1][2]. The attack is performed remotely over the network using the Mattermost API.

Impact

A successful exploit allows an attacker to create Confluence event subscriptions to any Mattermost channel, regardless of their access permissions. This could result in unauthorized monitoring of Confluence activity (page updates, comments, space changes) being delivered into a channel the attacker cannot normally access or control. The impact is primarily a violation of channel confidentiality and integrity since the attacker may observe or manipulate which notifications a channel receives [2][3].

Mitigation

Mattermost has addressed this vulnerability by releasing version 1.5.0 of the Confluence Plugin. Users are advised to upgrade to version 1.5.0 or later. There is no known workaround for unpatched versions [1][4]. The vulnerability is tracked as GO-2025-3868 in the Go vulnerability database [3].