Mattermost Confluence Plugin version <1.5.0 fails to check the authorization of the user to the Mattermost instance which allows attackers to create a channel subscription without proper authorization via API call to the create channel subscription endpoint.
Fixes

Solution

Update Mattermost Confluence Plugin to version 1.5.0 or higher.


Workaround

No workaround given by the vendor.

References
History

Thu, 25 Sep 2025 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost confluence
CPEs cpe:2.3:a:mattermost:confluence:*:*:*:*:*:mattermost:*:*
Vendors & Products Mattermost confluence

Tue, 12 Aug 2025 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Mon, 11 Aug 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 11 Aug 2025 19:15:00 +0000

Type Values Removed Values Added
Description Mattermost Confluence Plugin version <1.5.0 fails to check the authorization of the user to the Mattermost instance which allows attackers to create a channel subscription without proper authorization via API call to the create channel subscription endpoint.
Title Unauthenticated Channel Subscription Creation in Mattermost Confluence Plugin
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2025-08-11T19:34:49.595Z

Reserved: 2025-07-28T14:26:12.435Z

Link: CVE-2025-44004

cve-icon Vulnrichment

Updated: 2025-08-11T19:34:44.314Z

cve-icon NVD

Status : Analyzed

Published: 2025-08-11T19:15:27.623

Modified: 2025-09-25T18:53:07.317

Link: CVE-2025-44004

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-08-12T11:46:53Z