CVE-2025-54478

Summary

Mattermost Confluence Plugin version <1.5.0 fails to enforce authentication of the user to the Mattermost instance which allows unauthenticated attackers to edit channel subscriptions via API call to the edit channel subscription endpoint.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost Confluence Plugin0 < 1.5.0affected
MattermostMattermost Confluence Plugin1.5.0unaffected

Weaknesses

  • CWE-306: CWE-306: Missing Authentication for Critical Function

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References