CVE-2025-53857

CWE-862 — Missing Authorization5 documents4 sources

Severity

3.7LOW

EPSS

0.0%

top 90.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mattermost Mattermost Confluence Plugin Github.com Mattermost/mattermost-plugin-confluence Mattermost Confluence

Timeline

PublishedAug 11

Latest updateAug 18

Description

Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to get channel subscription details without proper access to the channel via API call to the GET autocomplete/GetChannelSubscriptions endpoint.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 2.2 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5mattermost/mattermost_confluence_plugin< 1.5.0

▶Gogithub.com/mattermost/mattermost-plugin-confluence< 1.5.0

▶NVDmattermost/confluence< 1.5.0

🔴Vulnerability Details

OSV

Mattermost Confluence Plugin has Missing Authorization vulnerability in github.com/mattermost/mattermost-plugin-confluence↗2025-08-18

▶

OSV

Mattermost Confluence Plugin has Missing Authorization vulnerability↗2025-08-11

▶

GHSA

Mattermost Confluence Plugin has Missing Authorization vulnerability↗2025-08-11

▶

CVEList

Lack of Authorization on Get Channel Subscriptions for Autocomplete in Mattermost Confluence Plugin↗2025-08-11

▶