CVE-2025-54458: Mattermost Confluence Plugin has Missing Authorization vulnerability
5
Basic Information
GoTechnical Details
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/mattermost/mattermost-plugin-confluence | go | < 1.5.0 | 1.5.0 |
Vulnerability Intelligence
Miggo AI
Miggo AIRoot Cause Analysis
The vulnerability is a missing authorization check in the Mattermost Confluence plugin. The analysis of the security patch between versions 1.4.0 and 1.5.0 reveals that the functions responsible for creating and editing subscriptions (handleSaveSubscription and handleEditChannelSubscription) were affected.
Prior to the patch, these functions would only verify that a user had an active connection to a Confluence instance, but critically failed to check whether that user had the necessary permissions to access the specific Confluence space or page for which they were creating or editing a subscription. This allowed a malicious actor to bypass Confluence's access controls and subscribe to notifications for restricted resources.
The fix, introduced in commit 97dbaf6c2983438401316865881e1f9630ccad2c, implements a new function, validateUserConfluenceAccess. This function explicitly checks with the Confluence API if the user has access to the target space or page. This new authorization check is now correctly invoked within both handleSaveSubscription and handleEditChannelSubscription, effectively closing the security gap. Therefore, these two functions are the primary runtime indicators of this vulnerability being triggered.