CVE-2025-44004: 
vulnerability analysis and mitigation

CVE-2025-44004 affects the Mattermost Confluence Plugin versions prior to 1.5.0. The vulnerability was discovered and disclosed on August 11, 2025, impacting the authentication mechanism of the plugin's channel subscription functionality (NVD).

The vulnerability stems from a failure to properly validate user authorization when accessing the Mattermost instance. Specifically, the plugin does not perform adequate authentication checks when users attempt to create channel subscriptions through the API endpoint. The vulnerability has been assigned a CVSS v3.1 base score of 7.2 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N, indicating network accessibility with low attack complexity (NVD).

The vulnerability allows unauthorized attackers to create channel subscriptions without proper authentication via API calls to the create channel subscription endpoint. This could potentially lead to unauthorized access to channel information and compromise of information confidentiality (NVD).

Users are advised to upgrade to Mattermost Confluence Plugin version 1.5.0 or later, which contains the fix for this vulnerability (Mattermost).