Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the Confluence space which allows attackers to edit a subscription for a Confluence space the user does not have access for via edit subscription endpoint.
Fixes

Solution

Update Mattermost Confluence Plugin to version 1.5.0 or higher.


Workaround

No workaround given by the vendor.

References
History

Thu, 25 Sep 2025 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost confluence
CPEs cpe:2.3:a:mattermost:confluence:*:*:*:*:*:mattermost:*:*
Vendors & Products Mattermost confluence

Tue, 12 Aug 2025 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Mon, 11 Aug 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 11 Aug 2025 19:15:00 +0000

Type Values Removed Values Added
Description Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the Confluence space which allows attackers to edit a subscription for a Confluence space the user does not have access for via edit subscription endpoint.
Title Unauthorized Subscription Edit to Confluence Space in Mattermost Confluence Plugin
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2025-08-11T19:35:23.834Z

Reserved: 2025-07-28T14:28:27.503Z

Link: CVE-2025-48731

cve-icon Vulnrichment

Updated: 2025-08-11T19:35:18.843Z

cve-icon NVD

Status : Analyzed

Published: 2025-08-11T19:15:27.953

Modified: 2025-09-25T18:55:22.210

Link: CVE-2025-48731

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-08-12T11:46:57Z