CVE-2025-49221

Summary

Mattermost Confluence Plugin version <1.5.0 fails to enforce authentication of the user to the Mattermost instance which allows unauthenticated attackers to access subscription details without via API call to GET subscription endpoint.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost Confluence Plugin0 < 1.5.0affected
MattermostMattermost Confluence Plugin1.5.0unaffected

Weaknesses

  • CWE-862: CWE-862: Missing Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References