CVE-2025-48731

MEDIUM6.4EPSS 0.07%

Mattermost Confluence Plugin has Missing Authorization vulnerability

Published: 8/11/2025Modified: 8/18/2025

Also known as:GHSA-cmpr-8prq-w5p5GO-2025-3861

Description

Mattermost Confluence Plugin versions < 1.5.0 fail to check user access to Confluence spaces, which allows attackers to edit subscriptions for Confluence spaces that users do not have access to through the edit subscription endpoint.

Affected packages (2)

Go/github.com/mattermost/mattermost-plugin-confluencefrom 0, < 1.5.0
Go/github.com/mattermost/mattermost-plugin-confluencefrom 0, < 1.5.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

References (4)

ADVISORYhttps://github.com/advisories/GHSA-cmpr-8prq-w5p5
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-48731
PATCHhttps://github.com/mattermost/mattermost-plugin-confluence
WEBhttps://mattermost.com/security-updates