CVE-2025-44001 – github.com/mattermost/mattermost-plugin-confluence

Package

Manager: go
Name: github.com/mattermost/mattermost-plugin-confluence
Vulnerable Version: >=0 <1.5.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

EPSS: 0.00037 pctl0.09876

Details

Mattermost Confluence Plugin has Missing Authorization vulnerability Mattermost Confluence Plugin versions < 1.5.0 fail to check user access to the channel, which allows attackers to get channel subscription details without proper access to the channel via an API call to the Get Channel Subscriptions details endpoint.

Metadata

Created: 2025-08-11T21:31:38Z
Modified: 2025-08-11T22:47:52Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-vpcr-fqpc-386h/GHSA-vpcr-fqpc-386h.json
CWE IDs: ["CWE-862"]
Alternative ID: GHSA-vpcr-fqpc-386h
Finding: F039
Auto approve: 1