Access Control Flaw in Mattermost Confluence Plugin Affects User Channel Subscriptions
CVE-2025-8285

4MEDIUM

Key Information:

Vendor: Mattermost
Status: Mattermost Confluence Plugin
Vendor: CVE Published:; 11 August 2025

What is CVE-2025-8285?

A security flaw in the Mattermost Confluence Plugin prior to version 1.5.0 permits unauthorized users to create channel subscriptions via API calls, bypassing necessary access controls. This vulnerability arises due to a failure to validate user permissions accurately when interacting with the channel subscription endpoint, potentially compromising the integrity of user access within the system.

Affected Version(s)

Mattermost Confluence Plugin 0 < 1.5.0

Mattermost Confluence Plugin 1.5.0

References

https://mattermost.com/security-updates

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 11, 2025
Vulnerability Reserved
Jul 28, 2025

Credit

Lorenzo Gallegos