-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
GoGoMiggo AIRoot Cause AnalysisThe vulnerability, identified as CVE-2025-54478, stems from a lack of authentication on several critical API endpoints in the Mattermost Confluence Plugin. The root cause was the absence of a unified authentication and authorization check for endpoints that manage channel subscriptions.
The investigation of the patch that fixed this issue, specifically commit de0a3d4c9eefa013e7d9f7a18d82eeced63322e6, reveals the solution. The developers introduced a new middleware function, checkAuth, in server/controller.go. This function inspects incoming HTTP requests for a Mattermost-User-Id header to verify the user's identity. Endpoints are now explicitly marked as requiring authentication via an IsAuthenticated: true flag in their definition.
The most critical vulnerable function, as stated in the advisory, is handleEditChannelSubscription, which allowed unauthenticated attackers to modify existing subscriptions. However, the analysis of the patch shows that other functions like handleSaveSubscription (creating subscriptions) and handleGetChannelSubscription/handleGetChannelSubscriptions (retrieving subscription info) were also unprotected and were secured in the same commit. An exploit would involve sending a direct API call to one of the affected endpoints, such as a PUT request to /api/v1/{channelID}/subscription/{type} to trigger handleEditChannelSubscription, without providing a valid Mattermost-User-Id header.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/mattermost/mattermost-plugin-confluence | go | < 1.5.0 | 1.5.0 |