Access Control Bypass: Mattermost Confluence Plugin <1.5.0 Channel Subs Leak
CVE-2025-44001 Published on August 11, 2025
Unauthorized Channel Subscription Read in Mattermost Confluence Plugin
Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to get channel subscription details without proper access to the channel via API call to the Get Channel Subscriptions details endpoint.
Vulnerability Analysis
CVE-2025-44001 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2025-44001 has been classified to as an AuthZ vulnerability or weakness.
Affected Versions
Mattermost Confluence Plugin:- Before 1.5.0 is affected.
- Version 1.5.0 is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.