CVE-2025-44001: 
vulnerability analysis and mitigation

Mattermost Confluence Plugin version <1.5.0 contains an authorization bypass vulnerability that was disclosed on August 11, 2025. The vulnerability affects the channel subscription functionality in the Mattermost Confluence Plugin, allowing unauthorized access to channel subscription details (NVD).

The vulnerability stems from a missing authorization check when accessing channel subscription details. Specifically, the plugin fails to verify user access permissions to channels when making API calls to the Get Channel Subscriptions details endpoint. The vulnerability has been assigned a CVSS v3.1 base score of 4.0 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N. The weakness has been classified as CWE-862 (Missing Authorization) (NVD).

When exploited, this vulnerability allows attackers to obtain channel subscription details for channels they should not have access to. This could lead to unauthorized information disclosure of channel membership and subscription data (NVD).

Users should upgrade to Mattermost Confluence Plugin version 1.5.0 or later which contains the fix for this vulnerability. The fix implements proper authorization checks for channel access before returning subscription details (Mattermost Security).