Mattermost Confluence Plugin version <1.5.0 fails to enforce authentication of the user to the Mattermost instance which allows unauthenticated attackers to edit channel subscriptions via API call to the edit channel subscription endpoint.
Fixes

Solution

Update Mattermost Confluence Plugin to version 1.5.0 or higher.


Workaround

No workaround given by the vendor.

References
History

Wed, 24 Sep 2025 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost confluence
CPEs cpe:2.3:a:mattermost:confluence:*:*:*:*:*:*:*:*
Vendors & Products Mattermost confluence

Tue, 12 Aug 2025 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Mon, 11 Aug 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 11 Aug 2025 19:15:00 +0000

Type Values Removed Values Added
Description Mattermost Confluence Plugin version <1.5.0 fails to enforce authentication of the user to the Mattermost instance which allows unauthenticated attackers to edit channel subscriptions via API call to the edit channel subscription endpoint.
Title Unauthenticated Channel Subscription Edit in Mattermost Confluence Plugin
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2025-08-11T19:40:33.338Z

Reserved: 2025-07-28T14:26:12.443Z

Link: CVE-2025-54478

cve-icon Vulnrichment

Updated: 2025-08-11T19:40:27.615Z

cve-icon NVD

Status : Analyzed

Published: 2025-08-11T19:15:30.220

Modified: 2025-09-24T00:41:21.053

Link: CVE-2025-54478

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-08-12T11:46:58Z